Sidewinder G2 6.1.1 Administration Guide - Glossary of Technical ...

ADMINISTRATION GUIDE

ADMINISTRATION GUIDE

Copyright
© 2005 Secure Computing Corporation. All rights reserved. No part of this publication may be reproduced, transmitted,
transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written
permission of Secure Computing Corporation.
Trademarks
Secure Computing, SafeWord, Sidewinder, Sidewinder G2, SmartFilter, Type Enforcement, SofToken, Enterprise Strong,
Mobile Pass, G2 Firewall, PremierAccess, SecureSupport, SecureOS, Bess and Strikeback are trademarks of Secure
Computing Corporation, registered in the U.S. Patent and Trademark Office and in other countries. G2 Enterprise
Manager, SmartReporter, On-Box, Application Defenses, RemoteAccess, Sentian, Securing connections between people,
applications and networks are trademarks of Secure Computing Corporation. All other trademarks, tradenames, service
marks, service names, product names, and images mentioned and/or used herein belong to their respective owners.
Software License Agreement
The following is a copy of the Software License Agreement as shown in the software:
CAREFULLY READ THE FOLLOWING TERMS AND CONDITIONS BEFORE LOADING THE SOFTWARE. BY CLICKING
"I ACCEPT" BELOW, OR BY INSTALLING, COPYING, OR OTHERWISE USING THE SOFTWARE, YOU ARE SIGNING
THIS AGREEMENT, THEREBY BECOMING BOUND BY ITS TERMS. IF YOU DO NOT AGREE WITH THIS
AGREEMENT, THEN CLICK "I DO NOT ACCEPT" BELOW AND RETURN ALL COPIES OF THE SOFTWARE AND
DOCUMENTATION TO SECURE COMPUTING CORPORATION ("SECURE COMPUTING") OR THE RESELLER FROM
WHOM YOU OBTAINED THE SOFTWARE.
If this Software is being installed by a third party (for example, a value-added reseller, consultant, employee, or agent),
such third party represents that it has the authority to bind the person or entity for whom the Software is being
installed, and that its acceptance of this Agreement in the manner set forth above does bind such person or entity.
1. Grant of License. Secure Computing grants to you, and you accept, a non-exclusive, and non-transferable license
(without right to sub-license) to use the Software Products as defined herein on a single machine.
2. Software Products. "Software Product(s)" means (i) the machine-readable object-code versions of the Software of
Secure Computing contained in the media (the "Software"), (ii) the published user manuals and documentation that are
made available for the Software (the "Documentation") and (iii) any updates or revisions of the Software or
Documentation that you may receive (the "Update"). Under no circumstances will you receive any source code of the
Software. Software Products provided for use as "backup" in the event of failure of a primary unit may be used only to
replace the primary unit after a failure in fact occurs. They may not be used to provide any capability in addition to the
functioning primary system that they backup.
3. Limitation of Use. You may not: 1) copy, except to make one copy of the Software solely for back-up or archival
purposes; 2) transfer, distribute, rent, lease or sublicense all or any portion of the Software Product to any third party;
3) translate, modify, adapt, decompile, disassemble, or reverse engineer any Software Product in whole or in part; or 4)
modify or prepare derivative works of the Software Products.
4. Limited Warranty and Remedies. Secure Computing warrants that the medium/media on which its Software is
recorded is/are free from defects in material and workmanship under normal use and service for a period of ninety
(90) days from the date of shipment to you.
Secure Computing does not warrant that the functions contained in the Software will meet your requirements or that
operation of the program will be uninterrupted or error-free. The Software is furnished "AS IS" and without warranty as
to the performance or results you may obtain by using the Software. The entire risk as to the results and performance
of the Software is assumed by you. If you do not receive media which is free from defects in materials and
workmanship during the 90-day warranty period, you will receive a refund for the amount paid for the Software
Product returned.
5. Limitation Of Warranty And Remedies. THE WARRANTIES STATED HEREIN ARE IN LIEU OF ALL OTHER
WARRANTIES, EXPRESS OR IMPLIED, INCLUDING ANY WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A
PARTICULAR PURPOSE. SOME STATES AND COUNTRIES DO NOT ALLOW THE EXCLUSION OF IMPLIED
WARRANTIES, SO THE ABOVE EXCLUSION MAY NOT APPLY TO YOU. THIS WARRANTY GIVES YOU SPECIFIC
LEGAL RIGHTS. YOU MAY HAVE OTHER RIGHTS WHICH VARY BY STATE OR COUNTRY.
i

ii
SECURE COMPUTING'S AND ITS LICENSORS ENTIRE LIABILITY UNDER, FOR BREACH OF, OR ARISING OUT OF
THIS AGREEMENT, IS LIMITED TO A REFUND OF THE PURCHASE PRICE OF THE PRODUCT OR SERVICE THAT
GAVE RISE TO THE CLAIM. IN NO EVENT SHALL SECURE COMPUTING OR ITS LICENSORS BE LIABLE FOR YOUR
COST OF PROCURING SUBSTITUTE GOODS. IN NO EVENT WILL SECURE COMPUTING OR ITS LICENSORS BE
LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, INCIDENTAL, EXEMPLARY, OR OTHER DAMAGES
WHETHER OR NOT SECURE COMPUTING HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH LOSS OR DAMAGE.
6. Term and Termination. This license is effective until terminated. You may terminate it at any time by destroying
the Software Product, including all computer programs and documentation, and erasing any copies residing on
computer equipment. This Agreement also will automatically terminate if you do not comply with any terms or
conditions of this Agreement. Upon such termination you agree to destroy the Software Product and erase all copies
residing on computer equipment.
7. Ownership. This Software is licensed (not sold) to you. All intellectual property rights including trademarks, service
marks, patents, copyrights, trade secrets, and other proprietary rights in or related to the Software Products are and will
remain the property of Secure Computing or its licensors, whether or not specifically recognized or protected under
local law. You will not remove any product identification, copyright notices, or other legends set forth on the Software
Product.
8. Export Restrictions. You agree to comply with all applicable United States export control laws and regulations,
including without limitation, the laws and regulations administered by the United States Department of Commerce and
the United States Department of State.
9. U.S. Government Rights. Software Products furnished to the U.S. Government are provided on these commercial
terms and conditions as set forth in DFARS 227.7202-1(a).
10. Entire Agreement. This Agreement is our offer to license the Software Product to you exclusively on the terms set
forth in this Agreement, and is subject to the condition that you accept these terms in their entirety. If you have
submitted (or hereafter submit) different, additional, or other alternative terms to Secure Computing or any reseller or
authorized dealer, whether through a purchase order or otherwise, we object to and reject those terms. Without
limiting the generality of the foregoing, to the extent that you have submitted a purchase order for the Software
Product, any shipment to you of the Software Product is not an acceptance of your purchase order, but rather is a
counteroffer subject to your acceptance of this Agreement without any objections or modifications by you. To the
extent that we are deemed to have formed a contract with you related to the Software Product prior to your acceptance
of this Agreement, this Agreement shall govern and shall be deemed to be a modification of any prior terms in their
entirety.
11. General. Any waiver of or modification to the terms of this Agreement will not be effective unless executed in
writing and signed by Secure Computing. If any provision of this Agreement is held to be unenforceable, in whole or
in part, such holding shall not affect the validity of the other provisions of this Agreement. You may not assign this
License or any associated transactions without the written consent of Secure Computing. This License shall be
governed by and construed in accordance with the laws of California, without regard to its conflicts of laws provisions.

Other Terms and Conditions
This product contains software developed by the Net-SNMP project. Copyright © 1989, 1991, 1992 by Carnegie Mellon
University. Copyright © 1996, 1998-2000 The Regents of the University of California. All Rights Reserved. Copyright ©
2001-2002, Networks Associates Technology, Inc. All rights reserved. Portions of this code are copyright © 2001-2002,
Cambridge Broadband Ltd. All rights reserved.
This product contains software developed through the Internet Software Consortium (http://www.isc.org). Copyright ©
1996-2001 Internet Software Consortium. Portions Copyright © 1996-2001 Nominum, Inc.
This product contains software developed by Sendmail, Inc. Copyright © 1998-2001 Sendmail, Inc. All rights reserved.
This product includes software and algorithms developed by RSA Data Security Inc.
This product includes cryptographic software written by Eric Young (eay@cryptsoft.com).
This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. (http://
www.openssl.org) Copyright © 1998-2000 The OpenSSL Project. All rights reserved.
This product includes software developed by the Apache Group for use in the Apache HTTP server project (http://
www.apache.org/).
This product utilizes MySQL (http://www.mysql.com/). Copyright © 1995, 1996, 2000 TcX AB & Monty Program KB &
Detron Stockholm SWEDEN, Helsingfors FINLAND and Uppsala SWEDEN. All rights reserved.
This product incorporates compression code from the Info-ZIP group. There are no extra charges or costs due to the use
of this code, and the original compression sources are freely available from http://www.cdrom.com/pub/infozip/ or ftp:/
/ftp.cdrom.com/pub/infozip/ on the Internet.
This product includes software developed at the Information Technology Division, US Naval Research Laboratory.
Copyright 1995 US Naval Research Laboratory (NRL). All Rights Reserved.
This product includes software developed by the University of California, Berkeley and its contributors. Copyright ©
1991, 1992, 1993, 1994, 1995, 1996 Berkeley Software Design Inc. Copyright © 1997, 1998, 1999, 2000, 2001 Berkeley
Software Design Inc. All rights reserved. Copyright © 2001 Wind River Systems, Inc. All rights reserved.
This product uses unmodified GNU software. GNU source code is available on request by contacting Secure Computing.
Pine and Pico are registered trademarks of the University of Washington. No commercial use of these trademarks may be
made without prior written permission of the University of Washington. Pine, Pico, and Pilot software and its included
text are Copyright 1989-1996 by the University of Washington.
The Sidewinder G2 Guided Tour contains an embedded TechSmith® Screen Capture Codec that is required to view the
Guided Tour.. The embedded TechSmith Screen Capture Codec is distributed without charge, royalty, or licensing
requirement.
iii

iv
Technical Support information
Secure Computing works closely with our Channel Partners to offer worldwide Technical Support services. If you
purchased this product through a Secure Computing Channel Partner, please contact your reseller directly for support
needs.
To contact Secure Computing Technical Support directly, telephone +1.800.700.8328 or +1.651.628.1500. If you prefer,
send an e-mail to support@securecomputing.com. To inquire about obtaining a support contract, refer to our "Contact
Secure" Web page for the latest information at www.securecomputing.com.
Customer Advocate information
To suggest enhancements in a product or service, or to request assistance in resolving a problem, please contact a
Customer Advocate at +1.877.851.9080. If you prefer, send an e-mail to customer_advocate@securecomputing.com.
If you have comments or suggestions you would like to make regarding this document or any other Secure Computing
document, please send an e-mail to techpubs@securecomputing.com.
Printing history
Date Part number Software release
February 2004 SWOP-MN-ADMN61-A Sidewinder G2, Version 6.1
May 2004 SWOP-MN-ADMN61-B Sidewinder G2, Version 6.1.0.02
February 2005 SWOP-MN-ADMN61-C Sidewinder G2, Version 6.1.1

Table of Contents
Chapter 1: Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1
What is the Sidewinder G2 Security Appliance? . . . . . . . . . . . . . 1-1
Sidewinder G2 management options . . . . . . . . . . . . . . . . . . . . . 1-3
The Type Enforced environment . . . . . . . . . . . . . . . . . . . . . . . . . 1-4
Sidewinder G2 kernels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-4
How Type Enforcement works . . . . . . . . . . . . . . . . . . . . . . . . 1-5
Type Enforcement’s effects . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-8
Additional Sidewinder G2 operating characteristics . . . . . . . . . . 1-9
Burbs and network stack separation . . . . . . . . . . . . . . . . . . . . 1-9
Proxy software and access control . . . . . . . . . . . . . . . . . . . . 1-11
IP filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-12
daemond . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-12
Network Services Sentry (NSS) . . . . . . . . . . . . . . . . . . . . . . 1-16
Chapter 2: Administrator’s Overview . . . . . . . . . . . . . . . . 2-1
Administration interface options . . . . . . . . . . . . . . . . . . . . . . . . . 2-2
Admin Console basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-3
Starting and exiting the Admin Console . . . . . . . . . . . . . . . . . 2-3
Adding a Sidewinder G2 to the Admin Console . . . . . . . . . . . 2-4
Connecting to a Sidewinder G2 via the Admin Console . . . . . 2-5
About the main Admin Console window . . . . . . . . . . . . . . . . . 2-8
Admin Console conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-11
Using the Admin Console File Editor . . . . . . . . . . . . . . . . . . . . 2-12
Opening and saving files in the File Editor . . . . . . . . . . . . . . 2-13
Creating a backup file in the File Editor . . . . . . . . . . . . . . . . 2-14
Restoring a file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-15
Using the Find/Replace option . . . . . . . . . . . . . . . . . . . . . . . 2-16
Remote administration using Secure Shell . . . . . . . . . . . . . . . . 2-17
Configuring the Sidewinder G2 as an SSH server . . . . . . . . 2-17
Configuring and using the Sidewinder G2 as an SSH client . 2-20
Configuring the SSH Admin Console windows . . . . . . . . . . . 2-22
Tips on using SSH with Sidewinder G2 . . . . . . . . . . . . . . . . 2-24
Administering Sidewinder G2 using Telnet . . . . . . . . . . . . . . . . 2-24
T
Table of Contents v

T
Table of Contents
vi Table of Contents
Setting up an internal (trusted) Telnet server . . . . . . . . . . . . 2-24
Setting up an external Telnet server . . . . . . . . . . . . . . . . . . . 2-25
Connecting to the Sidewinder G2 using Telnet . . . . . . . . . . . 2-26
Chapter 3: General System Tasks . . . . . . . . . . . . . . . . . . . 3-1
Restarting or shutting down the system . . . . . . . . . . . . . . . . . . . 3-2
Powering-on the system to the Operational kernel . . . . . . . . . 3-2
Rebooting or shutting down using the Admin Console . . . . . . 3-3
Rebooting or shutting down using a command line interface . 3-4
Setting up and maintaining administrator accounts . . . . . . . . . . 3-5
Adding or modifying an administrator account . . . . . . . . . . . . 3-7
Changing passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-9
Setting the system date and time . . . . . . . . . . . . . . . . . . . . . . . . 3-9
Viewing/changing the date and time . . . . . . . . . . . . . . . . . . . . 3-9
Changing the date or time using the config_time utility . . . . . 3-10
Using system roles to access type enforced domains . . . . . . . 3-11
Checking which kernel you are running (uname) . . . . . . . . . 3-11
Checking which domain you are using (whereami) . . . . . . . . 3-12
Changing your domain access using the system role (srole)
command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-12
Configuration file backup and restore . . . . . . . . . . . . . . . . . . . . 3-13
Backing up and restoring configuration files using the Admin
Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-15
Activating the Sidewinder G2 license . . . . . . . . . . . . . . . . . . . . 3-19
Licensing from a Sidewinder G2 connected to the Internet . 3-20
Licensing from a Sidewinder G2 on an isolated network . . . 3-20
Configuring the Firewall License tabs . . . . . . . . . . . . . . . . . . 3-22
Displaying the status of features on Sidewinder G2 . . . . . . . 3-27
Protected host licensing and the Host Enrollment List . . . . . . . 3-27
How hosts are calculated . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-28
Displaying and modifying the Host Enrollment List . . . . . . . . 3-29
Enabling and disabling servers . . . . . . . . . . . . . . . . . . . . . . . . . 3-30
Configuring the synchronization server . . . . . . . . . . . . . . . . . . . 3-33
Configuring scanning services . . . . . . . . . . . . . . . . . . . . . . . . . 3-34
Configuring the shund server . . . . . . . . . . . . . . . . . . . . . . . . . . 3-39
Loading and installing patches . . . . . . . . . . . . . . . . . . . . . . . . . 3-41
Viewing currently installed patches . . . . . . . . . . . . . . . . . . . . 3-42
Loading a patch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-43
Installing a patch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-45
Modifying the burb configuration . . . . . . . . . . . . . . . . . . . . . . . . 3-48
Modifying the interface configuration . . . . . . . . . . . . . . . . . . . . 3-50
Modifying the static route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-54
Configuring remote Admin Console management . . . . . . . . . . 3-56

Table of Contents
Enabling and disabling multi-processor mode . . . . . . . . . . . . . 3-57
Configuring the Sidewinder G2 to use a UPS . . . . . . . . . . . . . . 3-58
Configuring the Sidewinder G2 to use a UPS . . . . . . . . . . . . 3-59
Enabling/disabling the UPS server . . . . . . . . . . . . . . . . . . . . 3-60
Chapter 4: Understanding Policy Configuration . . . . . . . 4-1
Policy configuration basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-1
An example of traffic being processed by the active rules . . . 4-4
Ordering proxy rules within a rule group . . . . . . . . . . . . . . . . . 4-5
Rule elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-6
Planning for rule elements . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-7
Users and user groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-8
Network objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-9
Service groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-12
Application Defenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-14
Using Application Defense groups and service groups to
minimize rule creation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-16
Proxy rule basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-17
Basic criteria used to allow or deny a connection . . . . . . . . . 4-17
Optional criteria used to allow or deny a connection . . . . . . . 4-18
Using NAT and redirection in proxy rules . . . . . . . . . . . . . . . 4-19
Simple proxy rule examples . . . . . . . . . . . . . . . . . . . . . . . . . 4-20
Example of proxy rules using netgroups . . . . . . . . . . . . . . . . 4-22
Advanced proxy rule example using service groups . . . . . . . 4-24
Default rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-25
IP Filter rule basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-28
Using IP Filter to filter non-TCP/UDP traffic . . . . . . . . . . . . . 4-29
Using IP Filter to filter TCP/UDP traffic . . . . . . . . . . . . . . . . . 4-30
Using NAT and redirection for IP Filter rules . . . . . . . . . . . . . 4-31
Sharing IP Filter sessions in an HA cluster . . . . . . . . . . . . . . 4-36
Specifying the number of TCP or UDP IP Filter sessions . . . 4-36
Chapter 5: Creating Rule Elements . . . . . . . . . . . . . . . . . . 5-1
Creating users and user groups . . . . . . . . . . . . . . . . . . . . . . . . . 5-1
Configuring users or user groups . . . . . . . . . . . . . . . . . . . . . . 5-3
Managing user group membership . . . . . . . . . . . . . . . . . . . . . 5-8
Creating network objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-10
Displaying network objects and netgroups . . . . . . . . . . . . . . 5-10
Configuring domain objects . . . . . . . . . . . . . . . . . . . . . . . . . . 5-12
Configuring host objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-13
Configuring IP address objects . . . . . . . . . . . . . . . . . . . . . . . 5-15
Configuring netmaps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-16
Configuring subnet objects . . . . . . . . . . . . . . . . . . . . . . . . . . 5-17
Table of Contents vii

Table of Contents
viii Table of Contents
Configuring netgroup object . . . . . . . . . . . . . . . . . . . . . . . . . 5-18
Managing netgroup membership . . . . . . . . . . . . . . . . . . . . . 5-20
Creating service groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-21
Chapter 6: Configuring Application Defenses . . . . . . . . . 6-1
Viewing Application Defense information . . . . . . . . . . . . . . . . . . 6-1
Overview of the Application Defense windows . . . . . . . . . . . . 6-2
Creating Web or Secure Web Application Defenses . . . . . . . . . 6-4
Configuring the Web/Secure Web Enforcements tab . . . . . . . 6-5
Configuring the Web/Secure Web URL Control tab . . . . . . . . 6-8
Configuring the Web/Secure Web HTTP Request tab . . . . . 6-10
Configuring Web/Secure Web HTTP Reply tab . . . . . . . . . . 6-11
Configuring the Web/Secure Web MIME/Virus tab . . . . . . . . 6-13
Configuring the Web/Secure Web Content Control tab . . . . 6-17
Configuring the Web/Secure Web Connection tab . . . . . . . . 6-18
Creating Web Cache Application Defenses . . . . . . . . . . . . . . . 6-19
Configuring the Web Cache Application Defense window . . 6-19
Creating Mail Application Defenses . . . . . . . . . . . . . . . . . . . . . 6-21
Configuring the Mail Control tab . . . . . . . . . . . . . . . . . . . . . . 6-22
Configuring the Mail Size tab . . . . . . . . . . . . . . . . . . . . . . . . 6-23
Configuring the Mail Keyword Search tab . . . . . . . . . . . . . . . 6-24
Configuring the Mail MIME/Virus tab . . . . . . . . . . . . . . . . . . . 6-26
Creating Citrix Application Defenses . . . . . . . . . . . . . . . . . . . . . 6-31
Configuring the Citrix Enforcements tab . . . . . . . . . . . . . . . . 6-32
Configuring the Citrix Filters tab . . . . . . . . . . . . . . . . . . . . . . 6-32
Configuring the Citrix Connections tab . . . . . . . . . . . . . . . . . 6-33
Creating FTP Application Defenses . . . . . . . . . . . . . . . . . . . . . 6-33
Configuring the FTP Filter tab . . . . . . . . . . . . . . . . . . . . . . . . 6-33
Configuring the FTP Connection tab . . . . . . . . . . . . . . . . . . . 6-34
Creating IIOP Application Defenses . . . . . . . . . . . . . . . . . . . . . 6-34
Configuring the IIOP Connection tab . . . . . . . . . . . . . . . . . . 6-35
Creating Multimedia Application Defenses . . . . . . . . . . . . . . . . 6-36
Configuring the Multimedia General tab . . . . . . . . . . . . . . . . 6-36
Configuring the H.323 Filter tab . . . . . . . . . . . . . . . . . . . . . . 6-36
Configuring the T120 Filter tab . . . . . . . . . . . . . . . . . . . . . . . 6-38
Configuring the Multimedia Connection tab . . . . . . . . . . . . . 6-38
Creating Oracle Application Defenses . . . . . . . . . . . . . . . . . . . 6-38
Configuring the Enforcements tab . . . . . . . . . . . . . . . . . . . . . 6-39
Configuring the Service Name (SID) tab . . . . . . . . . . . . . . . . 6-40
Configuring the Oracle Connection tab . . . . . . . . . . . . . . . . . 6-40
Creating SOCKS Application Defenses . . . . . . . . . . . . . . . . . . 6-41
Configuring the SOCKS 5 Filter tab . . . . . . . . . . . . . . . . . . . 6-41
Configuring the SOCKS Connections tab . . . . . . . . . . . . . . . 6-41

Table of Contents
Creating SNMP Application Defenses . . . . . . . . . . . . . . . . . . . 6-42
Configuring the SNMP Filter tab . . . . . . . . . . . . . . . . . . . . . . 6-42
Configuring the SNMP v1 tab . . . . . . . . . . . . . . . . . . . . . . . . 6-43
Configuring the SNMP Connection tab . . . . . . . . . . . . . . . . . 6-45
Creating Standard Application Defenses . . . . . . . . . . . . . . . . . 6-45
Configuring the Standard Connections tab . . . . . . . . . . . . . . 6-46
Configuring Application Defense groups . . . . . . . . . . . . . . . . . . 6-46
Configuring the Application Defense groups window . . . . . . 6-47
Configuring connection properties . . . . . . . . . . . . . . . . . . . . . . 6-48
Configuring connection ports . . . . . . . . . . . . . . . . . . . . . . . . 6-50
Chapter 7: Creating Rules and Groups . . . . . . . . . . . . . . . 7-1
Viewing rules and rule groups . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-1
Creating proxy rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-4
Creating IP Filter rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-12
Creating and managing rule groups . . . . . . . . . . . . . . . . . . . . . 7-19
Creating a rule group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-19
Managing rules and nested groups within a rule group . . . . 7-20
Selecting your active policy rules . . . . . . . . . . . . . . . . . . . . . . . 7-22
Viewing the active policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-22
Modifying the active rule groups . . . . . . . . . . . . . . . . . . . . . . 7-24
Viewing and modifying general IP Filter properties . . . . . . . . 7-25
Chapter 8: Configuring Proxies . . . . . . . . . . . . . . . . . . . . . 8-1
Proxy basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-1
Configuring advanced proxy parameters on a per-rule basis
using Application Defenses . . . . . . . . . . . . . . . . . . . . . . . . . . 8-3
Improving performance using Fast Path Sessions . . . . . . . . . 8-3
Proxy session limits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-4
Redirected proxy connections . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-5
Address redirection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-6
Port redirection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-8
Standard Sidewinder G2 proxies . . . . . . . . . . . . . . . . . . . . . . . . 8-9
Using other proxies on the Sidewinder G2 . . . . . . . . . . . . . . 8-13
Transparent & non-transparent proxies . . . . . . . . . . . . . . . . . . 8-14
Notes on selected proxy configurations . . . . . . . . . . . . . . . . . . 8-15
Notes on using the Telnet proxy . . . . . . . . . . . . . . . . . . . . . . 8-15
Notes on using the FTP proxy . . . . . . . . . . . . . . . . . . . . . . . . 8-17
HTTP/HTTPS considerations . . . . . . . . . . . . . . . . . . . . . . . . 8-18
ICA proxy considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-18
Sun RPC proxy considerations . . . . . . . . . . . . . . . . . . . . . . . 8-19
Usenet News proxy configurations . . . . . . . . . . . . . . . . . . . . 8-19
T.120 and H.323 proxy considerations . . . . . . . . . . . . . . . . . 8-22
Table of Contents ix

Table of Contents
x Table of Contents
Generic TCP proxy considerations . . . . . . . . . . . . . . . . . . . . 8-26
Notes on using the DNS proxy . . . . . . . . . . . . . . . . . . . . . . . 8-27
Configuring proxies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-28
Configuring proxy properties . . . . . . . . . . . . . . . . . . . . . . . . . 8-28
Setting up a new proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-31
Configuring connection ports . . . . . . . . . . . . . . . . . . . . . . . . 8-33
TCP maximum segment size . . . . . . . . . . . . . . . . . . . . . . . . 8-33
Chapter 9: Setting Up Authentication . . . . . . . . . . . . . . . . 9-1
Authentication overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-1
Proxy authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-2
Administrator authentication . . . . . . . . . . . . . . . . . . . . . . . . . . 9-3
Weak versus strong authentication . . . . . . . . . . . . . . . . . . . . . 9-3
Supported authentication methods . . . . . . . . . . . . . . . . . . . . . . . 9-5
Standard password authentication . . . . . . . . . . . . . . . . . . . . . 9-6
SafeWord authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-6
LDAP/Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-7
Windows Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-8
SNK (SecureNet Key)/Symantec Defender authentication . . . 9-8
SecurID authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-8
RADIUS authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-8
Authentication process overview . . . . . . . . . . . . . . . . . . . . . . . . . 9-9
Users, groups, and authentication . . . . . . . . . . . . . . . . . . . . . . 9-11
Configuring authentication services . . . . . . . . . . . . . . . . . . . . . 9-11
Setting up LDAP authentication . . . . . . . . . . . . . . . . . . . . . . 9-16
Setting up password authentication . . . . . . . . . . . . . . . . . . . 9-18
Setting up RADIUS authentication . . . . . . . . . . . . . . . . . . . . 9-19
Setting up SafeWord authentication . . . . . . . . . . . . . . . . . . . 9-21
Setting up SecurID authentication . . . . . . . . . . . . . . . . . . . . . 9-22
Setting up SecureNet Key (SNK) authentication . . . . . . . . . . 9-24
Setting up Windows Domain authentication . . . . . . . . . . . . . 9-26
Configuring SSO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-27
Accessing the Web login and logout pages . . . . . . . . . . . . . 9-30
Setting up authentication for services . . . . . . . . . . . . . . . . . . . . 9-30
Special authentication notes . . . . . . . . . . . . . . . . . . . . . . . . . 9-31
Setting up authentication for Web sessions . . . . . . . . . . . . . . . 9-32
Setting up authentication for administrators . . . . . . . . . . . . . . . 9-33
Allowing users to change their passwords . . . . . . . . . . . . . . . . 9-34
How users can change their own password . . . . . . . . . . . . . . . 9-36
Chapter 10: Domain Name System (DNS) . . . . . . . . . . . . 10-1
What is DNS? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-1
About transparent DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-2

Table of Contents
About Sidewinder hosted DNS . . . . . . . . . . . . . . . . . . . . . . . 10-2
About mail exchanger records . . . . . . . . . . . . . . . . . . . . . . . . . 10-4
Configuring the internal network to use hosted DNS . . . . . . . . 10-5
Enabling and disabling your DNS server(s) . . . . . . . . . . . . . . . 10-6
Using master and slave servers in your network . . . . . . . . . 10-6
Determining the number of DNS servers currently defined on
Sidewinder G2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-7
Enabling and disabling hosted DNS servers . . . . . . . . . . . . . 10-7
Advanced configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-8
Managing your current DNS configuration . . . . . . . . . . . . . . . . 10-9
Configuring transparent name servers . . . . . . . . . . . . . . . . . . . 10-9
Configuring hosted DNS servers . . . . . . . . . . . . . . . . . . . . . . . 10-11
Configuring the Server Configuration tab . . . . . . . . . . . . . . 10-12
Configuring the Zones tab . . . . . . . . . . . . . . . . . . . . . . . . . . 10-16
Using the Master Zone Attributes tab . . . . . . . . . . . . . . . . . 10-20
Using the Master Zone Contents tab . . . . . . . . . . . . . . . . . 10-25
Reconfiguring DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-29
Reconfiguring transparent DNS . . . . . . . . . . . . . . . . . . . . . 10-31
Reconfiguring single server hosted DNS . . . . . . . . . . . . . . 10-32
Reconfiguring split server hosted DNS . . . . . . . . . . . . . . . . 10-33
Manually editing DNS configuration files . . . . . . . . . . . . . . . . . 10-35
DNS message logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-36
Chapter 11: Electronic Mail. . . . . . . . . . . . . . . . . . . . . . . . 11-1
Overview of
e-mail on Sidewinder G2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-1
Mail server configuration options . . . . . . . . . . . . . . . . . . . . . 11-1
Mail filtering services on Sidewinder G2 . . . . . . . . . . . . . . . . 11-4
Sendmail differences on Sidewinder G2 . . . . . . . . . . . . . . . . 11-5
Administering mail on Sidewinder G2 . . . . . . . . . . . . . . . . . . . . 11-6
Viewing administrator mail messages on Sidewinder G2 . . . 11-6
Managing sendmail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-7
Reconfiguring mail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-9
Editing the mail configuration files . . . . . . . . . . . . . . . . . . . . . . 11-10
Configuring advanced anti-spam options . . . . . . . . . . . . . . . . 11-13
Configuring the whitelist.cfg files . . . . . . . . . . . . . . . . . . . . . 11-13
Configuring the policy.cfg file . . . . . . . . . . . . . . . . . . . . . . . . 11-15
Redirecting mail to a different destination . . . . . . . . . . . . . . . . 11-20
Creating a .forward file in a user’s home directory . . . . . . . 11-20
Creating a .forward file in the root directory . . . . . . . . . . . . 11-21
Other sendmail features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-22
Configuring sendmail to strip message headers . . . . . . . . . 11-22
Configuring sendmail to use the RealTime Blackhole list . . 11-24
Table of Contents xi

Table of Contents
xii Table of Contents
Sendmail and promiscuous relaying . . . . . . . . . . . . . . . . . . 11-24
Allowing or denying mail on a user basis . . . . . . . . . . . . . . 11-25
Changing mail aliases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-26
Managing mail queues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-27
Chapter 12: Setting Up Web Services . . . . . . . . . . . . . . . 12-1
An overview of Web Services on Sidewinder G2 . . . . . . . . . . . 12-1
Web access for users on your internal network . . . . . . . . . . 12-1
Access to your Web server by untrusted external users . . . . 12-2
Access to your internal network by trusted external users . . 12-3
Implementation options for Web access . . . . . . . . . . . . . . . . . . 12-3
Using the HTTP proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-6
Setting up Web access using the HTTP proxy . . . . . . . . . . . 12-7
Setting up clientless VPN access for trusted remote users . 12-8
Using the Web proxy server . . . . . . . . . . . . . . . . . . . . . . . . . . 12-10
Setting up Web access using the Web proxy server . . . . . . 12-11
Error messages when using the Web proxy server . . . . . . 12-12
Configuring the Web proxy server . . . . . . . . . . . . . . . . . . . . . . 12-12
Configuring caching options . . . . . . . . . . . . . . . . . . . . . . . . 12-15
Configuring HTTP filtering options . . . . . . . . . . . . . . . . . . . 12-16
Manually editing the configuration file . . . . . . . . . . . . . . . . . 12-17
Configuring browsers for the Web proxy server . . . . . . . . . . . 12-19
Mozilla Firefox 1.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-20
Internet Explorer 4.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-20
Internet Explorer 5.x/6.x . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-21
Netscape version 6.x/7.x . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-21
Certain browsers on UNIX . . . . . . . . . . . . . . . . . . . . . . . . . 12-22
Chapter 13: Configuring Virtual Private Networks . . . . . 13-1
Sidewinder G2 VPN overview . . . . . . . . . . . . . . . . . . . . . . . . . . 13-1
An introduction to IPSec technology . . . . . . . . . . . . . . . . . . . 13-2
VPN configuration options . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-4
Configuring hardware acceleration for VPN . . . . . . . . . . . . . 13-7
Configuring a VPN client . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-7
Extended Authentication for VPN . . . . . . . . . . . . . . . . . . . . . 13-8
What type of VPN authentication should I use? . . . . . . . . . . 13-9
Configuring the ISAKMP server . . . . . . . . . . . . . . . . . . . . . . . 13-11
Allowing access to the ISAKMP server . . . . . . . . . . . . . . . . 13-13
Configuring the Certificate server . . . . . . . . . . . . . . . . . . . . . . 13-13
Understanding virtual burbs . . . . . . . . . . . . . . . . . . . . . . . . . . 13-15
Creating and using a virtual burb with a VPN . . . . . . . . . . . 13-17
Configuring client address pools . . . . . . . . . . . . . . . . . . . . . . . 13-18
Configuring a new client address pool . . . . . . . . . . . . . . . . 13-19

Table of Contents
Configuring the Subnets tab . . . . . . . . . . . . . . . . . . . . . . . . 13-20
Configuring the DNS and/or WINS servers . . . . . . . . . . . . . 13-22
Configuring the fixed IP map . . . . . . . . . . . . . . . . . . . . . . . . 13-24
Configuring Certificate Management . . . . . . . . . . . . . . . . . . . . 13-27
Understanding Distinguished Name syntax . . . . . . . . . . . . 13-28
Selecting a trusted source . . . . . . . . . . . . . . . . . . . . . . . . . . 13-31
Configuring and displaying CA root certificates . . . . . . . . . 13-32
Configuring and displaying Remote Identities . . . . . . . . . . . 13-35
Configuring and displaying firewall certificates . . . . . . . . . . 13-37
Configuring and displaying remote certificates . . . . . . . . . . 13-40
Assigning new certificates for Admin Console and
synchronization services . . . . . . . . . . . . . . . . . . . . . . . . . . 13-43
Importing and exporting certificates . . . . . . . . . . . . . . . . . . . . 13-44
Loading manual remote or firewall certificates . . . . . . . . . . 13-44
Importing a firewall certificate . . . . . . . . . . . . . . . . . . . . . . . 13-46
Importing a remote certificate . . . . . . . . . . . . . . . . . . . . . . . 13-47
Exporting remote or firewall certificates . . . . . . . . . . . . . . . 13-48
Configuring VPN Security Associations . . . . . . . . . . . . . . . . . 13-51
Displaying and configuring a VPN Security Association . . . 13-52
Defining a VPN Security Association . . . . . . . . . . . . . . . . . 13-53
Example VPN Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-65
Scenario 1: Sidewinder G2-to-Sidewinder G2 VPN via shared
password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-66
Scenario 2: Simple deployment of remote users . . . . . . . . 13-68
Scenario 3: Large scale deployment of clients . . . . . . . . . . 13-72
Chapter 14: Configuring the SNMP Agent. . . . . . . . . . . . 14-1
SNMP and Sidewinder G2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-1
SNMP basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-2
Setting up the SNMP agent on Sidewinder G2 . . . . . . . . . . . . . 14-8
Enabling/disabling the SNMP server . . . . . . . . . . . . . . . . . . 14-10
About the management station . . . . . . . . . . . . . . . . . . . . . . . . 14-10
Communication with systems in an external network . . . . . . . 14-11
Chapter 15: One-To-Many Clusters . . . . . . . . . . . . . . . . . 15-1
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-1
Considerations when using One-To-Many . . . . . . . . . . . . . . 15-2
Example scenario using a One-To-Many cluster . . . . . . . . . . . 15-4
Example scenario requirements . . . . . . . . . . . . . . . . . . . . . . 15-4
Configuring One-To-Many . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-5
Configuring a dedicated cluster burb for each
Sidewinder G2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-5
Configuring the primary in a new One-To-Many cluster . . . . 15-6
Table of Contents xiii

Table of Contents
xiv Table of Contents
Adding a secondary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-7
Joining a secondary to an existing One-To-Many cluster . . . 15-9
Viewing the status of a One-To-Many cluster . . . . . . . . . . . 15-10
Changing the primary in a One-To-Many cluster . . . . . . . . 15-11
Removing Sidewinder G2s from a One-To-Many cluster . . 15-12
Understanding the One-To-Many tree structure . . . . . . . . . . . 15-13
Chapter 16: High Availability . . . . . . . . . . . . . . . . . . . . . . 16-1
How High Availability works . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-1
HA configuration options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-3
Load sharing HA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-3
Failover HA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-4
Configuring HA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-6
Configuring the heartbeat burbs . . . . . . . . . . . . . . . . . . . . . . 16-7
Configuring Sidewinder G2 for HA . . . . . . . . . . . . . . . . . . . . 16-8
Joining a Sidewinder G2 to an existing HA cluster . . . . . . . 16-13
Enabling and disabling load sharing for an HA cluster . . . . 16-15
Removing a Sidewinder G2 from an HA cluster . . . . . . . . . 16-16
Managing an HA cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-17
Understanding the HA cluster tree structure . . . . . . . . . . . . 16-18
Modifying HA common parameters . . . . . . . . . . . . . . . . . . . 16-20
Modifying HA local parameters . . . . . . . . . . . . . . . . . . . . . . 16-25
Scheduling a soft shutdown for an HA cluster
Sidewinder G2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-27
Connecting directly to a secondary/standby . . . . . . . . . . . . 16-29
Chapter 17: Alarm Events and Responses . . . . . . . . . . . 17-1
Configuring alarm events and event responses . . . . . . . . . . . . 17-1
Configuring alarm events . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-2
Displaying and configuring event responses . . . . . . . . . . . . . 17-8
Changing other options . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-12
Example alarm event scenario . . . . . . . . . . . . . . . . . . . . . . . . 17-13
Sample Strikeback results . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-15
Ignoring network probe attempts . . . . . . . . . . . . . . . . . . . . . . . 17-17
Configuring the ignore list . . . . . . . . . . . . . . . . . . . . . . . . . . 17-18
Checking system status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-19
CPU usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-19
Process status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-20
Disk usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-21
who . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-21
finger . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-22
Checking network status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-22
Active network connections . . . . . . . . . . . . . . . . . . . . . . . . . 17-22

Table of Contents
Active connections/services . . . . . . . . . . . . . . . . . . . . . . . . 17-22
Network interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-23
Routing tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-23
route get . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-23
nslookup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-24
dig . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-24
whois . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-25
ping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-26
traceroute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-26
Chapter 18: Monitoring, Auditing, and Reporting . . . . . 18-1
Overview of the audit process . . . . . . . . . . . . . . . . . . . . . . . . . . 18-1
Monitoring Sidewinder G2 status . . . . . . . . . . . . . . . . . . . . . . . 18-3
Auditing on the Sidewinder G2 . . . . . . . . . . . . . . . . . . . . . . . . . 18-5
Understanding audit file names . . . . . . . . . . . . . . . . . . . . . . . 18-6
Viewing audit information . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-7
Exporting audit data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-11
Filtering audit data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-12
Creating custom audit filters . . . . . . . . . . . . . . . . . . . . . . . . 18-16
Understanding audit messages . . . . . . . . . . . . . . . . . . . . . . 18-19
Logging application messages using Syslog . . . . . . . . . . . . . 18-21
Redirecting audit output . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-22
Viewing syslog messages . . . . . . . . . . . . . . . . . . . . . . . . . . 18-23
Generating and viewing reports using the Admin Console . . . 18-23
Viewing auto-generated reports . . . . . . . . . . . . . . . . . . . . . . . 18-30
Generating exportable reports . . . . . . . . . . . . . . . . . . . . . . . . 18-30
Using third party reporting tools . . . . . . . . . . . . . . . . . . . . . . . 18-31
Formatting & exporting audit data for use with external
tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-31
Sample WebTrends report . . . . . . . . . . . . . . . . . . . . . . . . . 18-33
Appendix A: Command Line Reference . . . . . . . . . . . . . .A-1
Overview of cf . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .A-1
Summary of cf structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .A-2
Working with files on the Sidewinder G2 . . . . . . . . . . . . . . . . . .A-10
Changing your default editor . . . . . . . . . . . . . . . . . . . . . . . . .A-10
About editing Sidewinder G2 files . . . . . . . . . . . . . . . . . . . . .A-11
Checking file and directory permissions (ls) . . . . . . . . . . . . .A-12
Changing a file’s type (chtype) . . . . . . . . . . . . . . . . . . . . . . .A-13
Creating your own scripts . . . . . . . . . . . . . . . . . . . . . . . . . . .A-14
Understanding automatic (cron) jobs . . . . . . . . . . . . . . . . . . . .A-15
/etc/daily . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .A-15
/etc/weekly . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .A-16
Table of Contents xv

Table of Contents
xvi Table of Contents
/etc/monthly . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .A-16
Rollaudit cron jobs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .A-16
SmartFilter cron job . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .A-17
Monitor data retrieval cron job . . . . . . . . . . . . . . . . . . . . . . . .A-17
Report generating cron jobs . . . . . . . . . . . . . . . . . . . . . . . . .A-17
Squid log rotation cron job . . . . . . . . . . . . . . . . . . . . . . . . . .A-18
CRL and certificate retrieval cron job . . . . . . . . . . . . . . . . . .A-18
Anti-virus DAT file cron job . . . . . . . . . . . . . . . . . . . . . . . . . .A-18
Package download cron job . . . . . . . . . . . . . . . . . . . . . . . . .A-18
Export utility cron job . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .A-18
Logcheck cron job . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .A-18
Appendix B: Setting Up Network Time Protocol. . . . . . . .B-1
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B-1
NTP servers and clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B-2
The Sidewinder G2 as an NTP client . . . . . . . . . . . . . . . . . . .B-2
The Sidewinder G2 as an NTP server . . . . . . . . . . . . . . . . . .B-3
Configuring NTP on a Sidewinder G2 . . . . . . . . . . . . . . . . . . . . .B-5
Configuring the Sidewinder G2 as an NTP client . . . . . . . . . .B-5
Configuring the Sidewinder G2 as an NTP server . . . . . . . . .B-6
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B-8
Internet Request For Comments (RFC) . . . . . . . . . . . . . . . . .B-8
Web Sites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B-8
On-line manual (man) pages . . . . . . . . . . . . . . . . . . . . . . . . . .B-8
Appendix C: Configuring Dynamic Routing with OSPF. .C-1
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .C-1
A closer look at OSPF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .C-2
OSPF routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .C-3
OSPF processing on a Sidewinder G2 . . . . . . . . . . . . . . . . . . . .C-4
Sidewinder G2 in an OSPF network topology . . . . . . . . . . . . .C-5
Interoperability with other OSPF routers . . . . . . . . . . . . . . . . .C-6
Other routing protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .C-6
Setting up OSPF routing on the Sidewinder G2 . . . . . . . . . . . . .C-6
Configuring OSPF properties . . . . . . . . . . . . . . . . . . . . . . . . .C-7
Configuring OSPF Areas . . . . . . . . . . . . . . . . . . . . . . . . . . . . .C-8
Configuring Advanced options . . . . . . . . . . . . . . . . . . . . . . .C-12
Configuring "passive" OSPF . . . . . . . . . . . . . . . . . . . . . . . . . . .C-13
Other implementation details . . . . . . . . . . . . . . . . . . . . . . . . . .C-13
Appendix D: Configuring Dynamic Routing with RIP . . .D-1
RIP with standard IP routers . . . . . . . . . . . . . . . . . . . . . . . . . . . .D-1
RIP processing on the Sidewinder G2 . . . . . . . . . . . . . . . . . . . .D-3

Table of Contents
RIP with the Sidewinder G2 using transparent IP addressing . .D-5
RIP with the Sidewinder G2 NOT using transparent
IP addressing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .D-8
Configuring RIP on the Sidewinder G2 . . . . . . . . . . . . . . . . . . .D-12
Rule list support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .D-15
Enabling/disabling the routed server . . . . . . . . . . . . . . . . . . . . .D-15
Trace and log information . . . . . . . . . . . . . . . . . . . . . . . . . . . . .D-16
A note about flushing filter routes . . . . . . . . . . . . . . . . . . . . .D-16
Appendix E: Setting Up SmartFilter Services. . . . . . . . . . E-1
Controlling Web access using the SmartFilter Control List . . . . .E-1
Evaluating the SmartFilter Control List . . . . . . . . . . . . . . . . . . . .E-2
Evaluating the full Control List . . . . . . . . . . . . . . . . . . . . . . . . .E-2
Evaluating the sample Control List . . . . . . . . . . . . . . . . . . . . .E-2
Subscribing to the SmartFilter Control List . . . . . . . . . . . . . . . . .E-3
Configuring SmartFilter on the Sidewinder G2 . . . . . . . . . . . . . .E-3
Setting up SmartFilter on the Sidewinder G2 . . . . . . . . . . . . .E-3
Downloading and installing the SmartFilter Control List . . . . .E-4
Configuring advanced SmartFilter options . . . . . . . . . . . . . . .E-6
Testing your SmartFilter Configuration . . . . . . . . . . . . . . . . . .E-8
Editing the SmartFilter files . . . . . . . . . . . . . . . . . . . . . . . . . . . . .E-8
Editing the SmartFilter configuration file . . . . . . . . . . . . . . . . .E-8
Editing the smartfilter.site file . . . . . . . . . . . . . . . . . . . . . . . . .E-9
Adding a URL to one or more Control List categories . . . . . .E-10
Exempting a site, path, or URL from restriction . . . . . . . . . .E-12
Appendix F: Basic Troubleshooting . . . . . . . . . . . . . . . . . F-1
Powering-up the system to the Administrative kernel . . . . . . . . . F-2
Enabling and disabling authentication for the administrative
kernel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F-3
Restoring access to the Admin Console . . . . . . . . . . . . . . . . . . . F-3
Backing up system files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F-4
Performing a full system backup (level0) . . . . . . . . . . . . . . . . F-5
Performing an incremental backup . . . . . . . . . . . . . . . . . . . . . F-6
Restoring system files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F-8
Performing a full system restore . . . . . . . . . . . . . . . . . . . . . . . F-9
Performing an incremental restore via the do.restore script . F-11
Restoring configuration files using the command line . . . . . . F-14
Adding hardware to an active Sidewinder G2 . . . . . . . . . . . . . . F-14
What to do if the boot process fails . . . . . . . . . . . . . . . . . . . . . . F-16
System reboot messages . . . . . . . . . . . . . . . . . . . . . . . . . . . F-17
Re-imaging your Sidewinder G2 . . . . . . . . . . . . . . . . . . . . . . . . F-17
If you forget your administrator password . . . . . . . . . . . . . . . . . F-19
Table of Contents xvii

Table of Contents
xviii Table of Contents
Changing your password in the administrative kernel . . . . . . F-19
Using maintenance mode to disable authentication when you
have forgotten your password . . . . . . . . . . . . . . . . . . . . . . . F-20
Manually clearing an authentication failure lockout . . . . . . . . F-21
Interpreting beep patterns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F-21
If a patch installation fails . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F-23
Troubleshooting proxy rules . . . . . . . . . . . . . . . . . . . . . . . . . . . F-23
Failed connection requests . . . . . . . . . . . . . . . . . . . . . . . . . . F-24
Monitoring allow and deny rule audit events . . . . . . . . . . . . . F-26
Active rules and the DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . F-28
Understanding FTP and Telnet connection failure messages . F-28
Troubleshooting High Availability . . . . . . . . . . . . . . . . . . . . . . . F-29
Viewing configuration-specific information . . . . . . . . . . . . . . F-29
Viewing status information . . . . . . . . . . . . . . . . . . . . . . . . . . F-30
Identifying load sharing addresses in netstat and ifconfig . . . F-32
Interface configuration issues with HA . . . . . . . . . . . . . . . . . F-34
Troubleshooting remote interface test failover for
peer-to-peer HA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F-34
Troubleshooting NTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F-34
Why did NTP stop? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F-35
Why does NTP appear to be inaccurate? . . . . . . . . . . . . . . . F-35
NTP clients will not synchronize with the Sidewinder G2 . . . F-35
Restarting NTP from the UNIX prompt . . . . . . . . . . . . . . . . . F-35
VPN troubleshooting commands . . . . . . . . . . . . . . . . . . . . . . . . F-36
Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .G-1
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . In-1

Who should read
this guide
What is covered in
this guide
P R E F A C E
About this Guide
This guide is intended for a Sidewinder G2 administrator. You should
read this guide if you are responsible for configuring and managing a
Sidewinder G2 Security Appliance.
This guide assumes you have:
A working knowledge of UNIX and Windows operating systems.
A basic understanding of system administration.
A working knowledge of the Internet and its associated terms and
applications.
An understanding of networks and network terminology, including
TCP/IP protocols.
This guide provides complete administration information on all
Sidewinder G2 security appliance functions and features. If you are
already responsible for the network to which the Sidewinder G2 will
be connected, you will find that you perform the same basic
administrative tasks on the Sidewinder G2. However, some of these
tasks will differ from standard UNIX systems because of the extra
security mechanisms that are included with Sidewinder G2.
Note: Because it is much easier to administer the Sidewinder G2 using the Admin Console
rather than by entering commands, this document focuses on using the Admin Console
whenever possible.
Each chapter in this guide describes the use and general configuration
of one or more related Sidewinder G2 features. Each chapter also
includes background information to describe how the underlying
technology relates to a Sidewinder G2 configuration.
Table 1 provides a description for each chapter included in this guide.
P
Preface: About this Guide xix

P
What is covered in this guide
Table 1. Chapter summaries
Chapter title Description
Chapter 1:
Introduction
Chapter 2:
Administrator’s Overview
Chapter 3:
General System Tasks
Chapter 4:
Understanding Policy Configuration
Chapter 5:
Creating Rule Elements
Chapter 6:
Configuring Application Defenses
Chapter 7:
Creating Rules and Groups
Chapter 8:
Configuring Proxies
Chapter 9:
Setting Up Authentication
Chapter 10:
Domain Name System (DNS)
Chapter 11:
Electronic Mail
Chapter 12:
Setting Up Web Services
Chapter 13:
Configuring Virtual Private
Networks
xx Preface: About this Guide
Demonstrates how Sidewinder G2 fits into your network and introduces
key operating characteristics.
Provides an overview of the administration interfaces available to you on
the Sidewinder G2, including the Admin Console, the primary
administration tool.
Provides information on performing system tasks such as setting up
additional administrator accounts, making configuration backups, and
applying system patch software.
Provides an overview of the basic policy configuration components on
the Sidewinder G2, including rules and their building blocks.
Provides information on creating users and user groups, network objects,
and service groups.
Provides information on creating Application Defenses.
Provides information on creating rules and groups, and how to select the
active rule groups.
Describes proxy connection services and explains how to configure and
administer them.
Defines what authentication is, describes the various authentication
methods available on Sidewinder G2, and explains how to configure
authentication for Telnet, FTP, and Web sessions.
Explains how to administer the Domain Name System (DNS) on
Sidewinder G2. If needed, you can change your DNS configuration or
configure the network to use Sidewinder G2 DNS.
Explains how to administer mail on Sidewinder G2. If needed, you can
change e-mail aliases or the e-mail configuration.
Describes the Web options that are available on Sidewinder G2 to control
connections between your internal networks and the Web.
Explains how the virtual private network (VPN) security on Sidewinder G2
can be used to protect data travelling between two Sidewinder G2
Security Appliances, or between the Sidewinder G2 and a remote client
workstation.
More...

Chapter title Description
Chapter 14:
Configuring the SNMP Agent
Chapter 15:
One-To-Many Clusters
Chapter 16:
High Availability
Chapter 17:
Alarm Events and Responses
Chapter 18:
Monitoring, Auditing, and
Reporting
Appendix A:
Command Line Reference
Appendix B:
Setting Up Network Time Protocol
Appendix C:
Configuring Dynamic Routing with
OSPF
Appendix D:
Configuring Dynamic Routing with
RIP
Appendix E:
Setting Up SmartFilter Services
Appendix F:
Basic Troubleshooting
What is covered in this guide
Introduces Simple Network Management Protocol (SNMP) network
management and defines how to configure and use the SNMP agent on
Sidewinder G2 to allow communication with SNMP management
stations.
Describes how to set up One-To-Many clustering, a feature that allows
you to manage multiple Sidewinder G2s at the same time.
Describes how to set up the optional High Availability feature, which
allows you to configure load sharing between two Sidewinder G2s, or
configure a hot backup in your network.
Describes how to configure alarm events and responses.
Describes how to monitor activity on Sidewinder G2. This chapter also
describes how to view audit information and generate reports.
Contains a summary of various Sidewinder G2 commands (including cf
commands) that you can use to configure and administer your system.
Describes how to configure and implement the Network Time Protocol
(NTP) on Sidewinder G2.
Describes how to set up routing capability on Sidewinder G2 using the
Open Shortest Path First (OSPF) protocol.
Describes how to set up dynamic routing on Sidewinder G2 using the
routing information protocol (RIP).
Describes how to control Web access using SmartFilter.
Describes basic troubleshooting methods for Sidewinder G2.
Glossary Provides definitions of important terms used in this guide.
Index Provides a cross-reference to important items used in this guide.
Preface: About this Guide xxi

Where to find additional information
Where to find
additional
information
xxii Preface: About this Guide
The Management Tools CD includes the Sidewinder G2
documentation in .pdf format. When you install the Management
Tools on a Windows-based system, the documents are automatically
loaded onto your hard drive. You can view them by selecting Start ->
Programs -> Secure Computing -> Sidewinder G2 3.0 Admin Console ->
Documentation.
Note: To view Sidewinder G2 documents prior to installing the Windows-based tools,
browse to the \Manuals directory on the Management Tools CD.
Table 2. Summary of Sidewinder G2 documentation
Document Description
Perimeter Security
Planning Guide
Educates you about network perimeter security and the
basic issues relevant to integrating a Sidewinder G2 into
your network. It will help you determine the security profile
that best matches your existing network and future security
goals, and then prepare you for your integration project. This
document is a PDF file located in the Start -> Program Files ->
Secure Computing -> Sidewinder G2 Admin Console 3.0 ->
Documentation folder.
Startup Guide Steps you through setting up your initial Sidewinder G2
configuration.
Administration
Guide
Enterprise Manager
Startup Guide
Enterprise Manager
Administration
Guide
This is the guide you are currently reading. It provides
complete administration information on all Sidewinder G2
functions and features. You should read this guide if you are
responsible for configuring and managing a Sidewinder G2
Security Appliance.
Steps you through setting up your initial Sidewinder G2
Enterprise Manager configuration. You should read this
guide if you are responsible for configuring and managing a
G2 Enterprise Manager.
Provides complete administration information on all
Sidewinder G2 Enterprise Manager functions and features.
You should read this guide if you are responsible for
configuring and managing Sidewinder G2 using the
Enterprise Manager.
Online Help Online help is built into the Sidewinder G2 Management
Tools. The Configuration Wizard provides help for each
configuration window. The Admin Console program
provides both screen-based and topic-based online help.
For the latest information regarding Sidewinder G2 and other Secure
Computing products, refer to our Web site at:
www.securecomputing.com.

Online help
Where to find additional information
The Sidewinder G2 graphical user interface (known as the Admin
Console) provides comprehensive online help. To access online help,
click the help icon in the toolbar.
Man (or “manual”) pages provide additional help on Sidewinder G2specific
commands, file formats, and system routines. To view the
available information for a specific topic, enter one of the following
commands:
man -k topic
or
apropos topic
where topic is the subject that you want to look up.
Reference materials
If you are new to system administration, you may find the following
resources useful:
Note: Some of these resources are referenced throughout this guide.
UNIX System Administration Handbook, 3rd Edition, by Nemeth, et
al. (Prentice Hall).
Managing Internet Information Services by Liu, et al. (O’Reilly and
Associates, Inc.)
A standard reference on computer security is Firewalls and
Internet Security by Cheswick and Bellovin (Addison-Wesley).
For network management information, see TCP/IP Network
Administration by Craig Hunt (O’Reilly & Associates, Inc.).
For information on handling mail on UNIX networks, see
Sendmail by Bryan Costales, with Eric Allman and Neil Rickert
(O’Reilly & Associates, Inc.).
For Domain Name System information, see DNS and Bind by
Cricket Liu and Paul Albitz (O’Reilly & Associates, Inc.).
For information about Internet Review for Comment (RFC)
documents, refer to one of the following Web sites:
http://www.cis.ohio-state.edu/hypertext/information/rfc.html
http://www.ietf.org/rfc.html
Preface: About this Guide xxiii

Typographical conventions
Typographical
conventions
xxiv Preface: About this Guide
This guide uses the following typographic conventions:
Table 3. Conventions used in this guide
Convention Description
boldface courier Commands and keywords you type at a system
prompt are in boldface.
courier italic Place holders for text you type. Words that appear in
square brackets [and] are place holders for optional
text.
courier plain Text displayed by this product on a computer screen.
plain text italics Names of files and directories.
Body Text Highlight Button and field names as shown on a graphical user
interface.
Note: Means reader take note. Notes contain helpful
suggestions or references to material not covered
elsewhere in the guide.
Tip: Means the following information will describe a timesaving
action or help you solve a problem.
Important: Means the following text will point out something
you need to know about to ensure the success of a
procedure or a key Admin Console screen.
Caution: Means reader be careful. In this situation, you might
do something that could result in loss of data or
unpredictable outcome.
Security Alert: Emphasizes information that is critical to maintaining
product integrity or security.

C HAPTER 1
Introduction
About this chapter This chapter briefly describes the security that the Sidewinder G2
Security Appliance adds to your network, and introduces the
administration options available to you. It also provides information
on how your Sidewinder G2 operating system differs from a standard
UNIX ® system.
What is the
Sidewinder G2
Security
Appliance?
This chapter includes the following topics:
“What is the Sidewinder G2 Security Appliance?” on page 1-1
“Sidewinder G2 management options” on page 1-3
“The Type Enforced environment” on page 1-4
“Additional Sidewinder G2 operating characteristics” on page 1-9
The Sidewinder G2 Security Appliance is a network security gateway
that allows you to connect your organization to the Internet while
protecting your network from unauthorized users and network
attackers. It includes an application-layer firewall, as well as IPSec
VPN capabilities and clientless VPN access, anti-spam and anti-virus
filtering engines, and SSL decryption.
The Sidewinder G2 provides a high level of security by using
SecureOS ® , an enhanced UNIX operating system that employs Secure
Computing’s patented Type Enforcement ® security technology.
SecureOS removes the inherent security risks often found in a
network application running on commercial operating systems,
resulting in superior network security.
1
Introduction 1-1

1
1-2 Introduction
What is the Sidewinder G2 Security Appliance?
Figure 1-1.
Sidewinder G2
protecting your
organization’s network
The Sidewinder G2 prevents host identification masquerading (IP
spoofing), making it very difficult for attackers to infiltrate your
protected network(s). The Sidewinder G2 also offers advanced
authentication and encryption software. Encryption allows authorized
users on the Internet access to your protected network without fear of
attackers eavesdropping (IP sniffing) or stealing access credentials and
other valuable information.
The Sidewinder G2 allows public services such as e-mail, a public file
archive (FTP), and World Wide Web (Web) access while protecting the
other computers on your protected network(s). The Sidewinder G2
also provides powerful configuration options that allow you to control
access by your employees to almost any publicly available service on
the Internet.
Sidewinder G2 runs on a Pentium-based computer that resides
between your Internet router and your protected network(s). Because
the Sidewinder G2 runs on standard hardware platforms and supports
standard network interfaces, you can integrate the Sidewinder G2 into
almost any network configuration.
Tip: For up-to-date hardware considerations regarding the Sidewinder G2, refer to our
Web page at: www.securecomputing.com/hardware
protected network
Sidewinder G2
router
Internet
A minimum Sidewinder G2 configuration supports two network
interfaces. However, you can add additional network interfaces for a
total of up to 24 network connections.
The configuration shown in Figure 1-2 is useful in providing
protection for two otherwise separate networks within your
organization, or between your organization and a strategic business
partner. This configuration uses three network interfaces.
R
?

Figure 1-2. Protecting
multiple networks with
Sidewinder G2
Sidewinder G2
management
options
your
network
protected networks
trusted
network
Sidewinder G2
Sidewinder G2 management options
R
router
The Sidewinder G2 provides interface flexibility that allows multiple
management options:
Admin Console—You can install and utilize the graphical user
interface software, referred to as the “Admin Console,” on a
Windows ® operating system, allowing you to easily connect to
and manage your Sidewinder G2.
Note: The Admin Console is occasionally referred to as “Cobra” in command line
tools.
SSH session—You can establish a secure shell (SSH) session on a
remote Admin Console (outside of your network) using a
command-line interface.
Telnet session—You can establish a Telnet connection to administer
the Sidewinder G2 via the command-line interface from a
Windows, UNIX, or other workstation capable of running a Telnet
client.
Tip: See Chapter 2 for details on using each management option.
Internet
?
Introduction 1-3

1-4 Introduction
The Type Enforced environment
The Type Enforced
environment
As mentioned earlier in this chapter, Sidewinder G2 runs under
SecureOS, a version of BSD/OS that Secure Computing has enhanced
with a patented security technology called Type Enforcement. Type
Enforcement was originally developed by Secure Computing
Corporation for the Secure Network Server, a product which meets
strict U.S. government standards for computer security. For the most
part, Type Enforcement does not require any extra effort on your part.
The following subsections describe areas that affect how you use the
system and access files of which you should be aware.
Sidewinder G2 kernels
The Sidewinder G2 contains two separate UNIX kernels that each
serve a specific purpose:
Operational kernel
This is the kernel that is running during normal operation. By
default, the system boots to the Operational kernel. In this mode,
the Sidewinder G2 is connected to the Internet and to your internal
networks, and all network services are operational. Most
importantly, the system is fully protected by the Type Enforcement
security software.
Note: For information on booting to the Operational kernel, refer to “Restarting or
shutting down the system” on page 3-2.
Administrative kernel
This kernel is used only when an administrator needs to perform
special tasks on the Sidewinder G2, such as installing or restoring
Sidewinder G2 software. When the Administrative kernel is running,
all network connections are disabled and Internet services
are not available; the Type Enforcement security software is also
disabled. Access to the Administrative kernel is tightly controlled
and cannot be granted remotely.
Important: When you boot to the Administrative kernel, the system can be
accessed only by attaching a monitor and keyboard (or a laptop) directly to your
Sidewinder G2. For information on booting to the Administrative kernel, refer to
“Powering-up the system to the Administrative kernel” on page F-2.

The Type Enforced environment
Table 1-1 lists the major differences between the two kernels. The
Operational kernel features are described in the section immediately
following this table.
Table 1-1. Sidewinder G2 kernels
Operational kernel Administrative kernel
SecureOS is protected by Type
Enforcement. (Type Enforcement is
used at every critical system call and
cannot be turned off.)
Normal operating state—The
Sidewinder G2 will automatically boot
to this kernel.
Network connections are enabled;
Internet services are available.
Divided into many application
domains; domain restrictions are
enforced.
Administrator access is controlled by
authenticated login and access rules.
Access to files by a process is restricted
based on Domain Definition Table.
How Type Enforcement works
Type Enforcement is disabled. File
types and domains exist, but are not
enforced.
Used when performing certain
administrative tasks or installing
software on the Sidewinder G2.
Network connections are disabled;
Internet services are not available.
Domain restrictions are not enforced.
Administrator access is limited to a
keyboard and monitor attached
directly to the Sidewinder G2. By
default, login and access rules do not
apply. (You can configure the
administrative kernel to require
authentication, if desired.)
Access to files by a process is restricted
only by standard UNIX permissions.
UNIX is not known to be a particularly secure operating system.
Logging in as super-user (root) gives you access to all system files; an
intruder who knows how to acquire root privileges can access any
files or applications on a system. In addition, UNIX does not have
tight control over how data files are shared among the processes
running on a system. This means that an intruder who managed to
break into one area of a system, such as e-mail, may be able to easily
gain access to other files on the system.
Introduction 1-5

1-6 Introduction
The Type Enforced environment
The Type Enforcement software in the Sidewinder G2 Operational
kernel is designed to plug these security holes. This is done by using
the following mechanisms (each of the mechanisms is described
below):
provides maximum network protection
provides Type Enforced domain processes
controls Type Enforced attributes applied to files and sockets
controls inter-domain operations, such as signals
controls access to system calls
controls the files a process can access
Maximum network protection
Secure Computing's patented Type Enforcement technology provides
network security protection that is unique to the industry. By using
Type Enforcement within the operating system, the Sidewinder G2
provides the highest level of security.
Type Enforcement is based on the security principle of least privilege:
any program executing on the system is given only the resources and
privileges it needs to accomplish its tasks. On the Sidewinder G2,
there is no concept of a root super-user. Type Enforcement controls
all interactions between domains and file types. Domains must have
explicit permission to access specific file types, communicate with
other domains, or access system functions. Any attempts to the
contrary fail as though the files do not exist.
Type Enforced domain processes
A standard UNIX system separates processes with user and group
identities. Therefore, UNIX identities can be completely subverted by
users who obtain root privileges. The Sidewinder G2 prevents this by
providing separate, Type-Enforced domains for each process running
on the system. Type-enforced domains provide more intricate control
over what each process is allowed to do (see Figure 1-3).

Figure 1-3. Example of
domain separation
structure on the
Sidewinder G2
Type Enforced attributes
The Type Enforced environment
When an administrator initially logs into the Sidewinder G2 at a
command line prompt, they are automatically placed in the User
domain, which allows no access to sensitive files. An administrator
may then switch to their defined administrative role’s domain using
the srole command (for Admn) or srole adminro (for AdRO). The
Admn domain allows an administrator to access to all administrative
functions. The AdRO domain allows read-only access to the system
configuration areas, as well as the ability to generate reports. An
administrator with read-only access cannot make system
modifications.
For information on assigning administrator roles, see “Setting up and
maintaining administrator accounts” on page 3-5.
Inter-domain operations
Interactions between domains, such as signalling, are also controlled
by Type Enforcement. For example, a process running in the SMTP
domain cannot send a signal to the Telnet server running in the Telnet
domain.
Access to system calls
SMTP Audit
User Kernel Network
News Telnet
A typical UNIX system has many privileged system calls that could
enable malicious users to access the kernel directly and compromise
the system. The Sidewinder G2 solves this problem with a set of flags
for each domain that indicate which system calls can be made from
that domain.
Introduction 1-7

1-8 Introduction
The Type Enforced environment
Files available to a process
Process-to-file access is controlled by a Domain Definition Table that
maps out the various classes of data files and processes that may be
running on the Sidewinder G2. The table specifies which process
domains can access different types of files and what type of access is
allowed (such as read/write/execute). This table cannot be
circumvented.
Your system is pre-configured so that domains have access only to the
files they need. The Domain Definition Table cannot be changed
while the Operational kernel is running. This prevents intruders from
tricking the kernel into modifying the table. Also, Type Enforcement
prevents intruders from installing software that may be used to
circumvent Sidewinder G2 security mechanisms.
Type Enforcement’s effects
The previous section outlined how Type Enforcement works. Listed
below are the major ways in which Type Enforcement affects you and
other users:
Non-administrative users will not be aware of Type Enforcement
(unless they try to perform unauthorized activities).
In the Operational kernel, there is no concept of a super-user who
can have complete system control. The “root” account has no
special privileges. The Admin role operating in the Admn domain
has access to most system files, but is still not as powerful as root
on a standard UNIX system.
Domains make it difficult for an intruder to do damage. Breaking
into the domain in which an application is executing does not
provide access to the files required for administering that
application.
Some system administration cannot be performed in the
Operational kernel and must be done in the Administrative kernel.
While in the Administrative kernel, the Sidewinder G2 is not
accessible to any other user or the Internet. When the
Administrative kernel is running, Type Enforcement is turned off,
which allows you to perform procedures such as a software
upgrade or a full system backup and restore.

Additional
Sidewinder G2
operating
characteristics
Figure 1-4. Multiple Type
Enforced areas (burbs)
on Sidewinder G2
Additional Sidewinder G2 operating characteristics
This section lists additional significant differences between Sidewinder
G2 and a standard UNIX system.
Burbs and network stack separation
While installing or managing the Sidewinder G2, you will notice the
use of the term "burb." Burb is a term that refers to a set of one or
more interfaces that are to be treated the same from a system security
policy point of view. Each burb has a unique name (for example,
internal, external) that you assign during initial configuration.
As an example of how burbs are used, suppose your organization has
two internal (protected) networks that need to be connected to the
external network (Internet), but the corporate security policy requires
that there be limited or no information flow between the two internal
networks. In this scenario, you would configure three burbs for your
Sidewinder G2, as shown in Figure 1-4. The security policy must be
defined to enforce the required control over information flow
between the two internal security burbs and between the external
burb and the individual internal burbs, while also protecting the
internal burbs from unauthorized access from the Internet.
trusted networks
Sidewinder G2
showing Type
Enforced network
areas (burbs)
R
router
Internet
Introduction 1-9

1-10 Introduction
Additional Sidewinder G2 operating characteristics
Figure 1-5. Logical
network protocol stacks
provide network
separation
One of the unique aspects of the SecureOS is the use of multiple
logical network stacks to strengthen the enforcement of the inter-burb
aspects of the system security policy. A network stack consists of
different layers of software responsible for different aspects of the
communications. For example, one layer checks a message’s routing
information to ensure that it is transmitted to the correct network.
Normal computing systems, and firewalls that operate on an
unsecured OS, have only one network stack.
The SecureOS includes modifications that provide stronger separation
of communication between different burbs. There are checks at all
layers of the software to ensure that the network stack data from one
burb is not mixed with, or impacted by, data associated with another
burb. This logical separation of the network stacks by the security
burb is augmented by the Type Enforcement security policy, which is
integral to SecureOS. It controls all operational aspects of the system,
including enforcement of the separation data processing by the
security burb. This ensures that information passes from one burb to
another only if the network security policy says the specific
information flow is allowed.
Figure 1-5 shows this logical network separation and the processing
elements involved in the transfer of data between the network stacks
associated with each burb. Before a process can interact with a
network stack, the Type Enforcement security policy must indicate
that the process is allowed to interact with that burb’s network stack.
trusted
network
Sidewinder G2
logical network
protocol stacks
Internet

Proxy software and access control
Additional Sidewinder G2 operating characteristics
The Sidewinder G2 uses special programs, called proxies, to forward
application data between your network and the Internet. Proxies
essentially provide a go-between that can communicate with the
burbs on Sidewinder G2. For example, when a user on an internal
burb tries to establish an Internet connection, Sidewinder G2
intercepts the connection attempt and opens the connection on the
user’s behalf. All Internet connections are made by the Sidewinder G2
so that the internal network never communicates directly with the
Internet burb. You can configure transparency on a per-rule basis,
allowing it to appear from a user’s perspective as if they are
connecting directly to the destination and not connecting to the
Sidewinder G2 first.
Important: Proxies communicate between two Type Enforced network areas in
Sidewinder G2. Therefore, proxies are not used to control an external (Internet) user’s
access to the external side of the Sidewinder G2. For example, when an external user
accesses a Telnet server that you have made publicly available on the external side of the
Sidewinder G2, there will be no proxy to intervene. For users on the Internet, proxies are
only used when they try to access an internal burb on the Sidewinder G2.
The Sidewinder G2 supports Web (HTTP), Telnet, and many other
TCP-based proxies. The Sidewinder G2 also supports proxies for
routing SNMP, NTP, DNS, and other types of services that require UDP
transmissions. You can also create your own special proxies for other
services. In addition, the Sidewinder G2 provides proxies that use
multiple TCP and/or UDP sessions such as FTP, Real Media, and
Oracle SQLNet.
Note: See Chapter 8 for a detailed description of the Sidewinder G2 proxies and
procedures for configuring them.
You configure which internal users can use each type of proxy by
creating proxy rules and organizing them into rule groups that enforce
your site’s security policy. For example, you can configure rules that
allow all internal users to access all Internet Web sites, or you can
prohibit users from accessing the Web from specific internal systems
or from accessing specific Web sites. You can configure advanced,
application-specific properties for your proxy rules using Application
Defenses.
Note: See Chapter 4 for a detailed description of proxy rules and Application Defenses.
Introduction 1-11

1-12 Introduction
Additional Sidewinder G2 operating characteristics
IP filtering
You can configure the Sidewinder G2 to securely forward IP packets
between networks using IP Filter. Unlike proxies, which operate at
the application layer and in most cases on TCP or UDP traffic, IP Filter
operates directly on IP packets allowing non-TCP/UDP (as well as
TCP/UDP) traffic to pass between the networks. For example, with IP
Filter you can pass encrypted VPN sessions through the Sidewinder
G2.
IP Filter works by inspecting many of the fields within a packet,
including the source and destination IP address, port, and protocol.
Each packet that arrives at the Sidewinder G2 will be inspected and
compared to an active IP Filter rule group that you have configured.
Matching packets will then be forwarded on to the destination
network.
You can configure IP Filter to inspect TCP, UDP, and many other
protocols. With the TCP protocol, the Sidewinder G2 actively tracks
individual sessions by performing stateful inspection. This ensures
that only packets valid for a portion of a specific TCP session are sent
on to the actual destination. In addition, the Sidewinder G2 supports
the ability to perform Network Address Translation (NAT) and
redirection when using IP Filter.
Using NAT, the source address of outgoing IP packets are translated
from the client's IP address to the external address of the Sidewinder
G2. Using redirection, the destination address of an incoming packet
is rewritten to a redirect host. Using NAT and/or redirection allows the
IP addresses of machines behind the Sidewinder G2 to be hidden.
You can also allow a private, non-routeable network (such as
10.0.0.0) to access the Internet using NAT.
Note: See Chapter 4 for information on using IP Filter rules.
daemond
The daemond (pronounced demon-dee) process is a powerful
component that enhances overall security. It monitors and controls all
of the major software components on Sidewinder G2. It also detects
and audits some classes of attacks against the Sidewinder G2.

Additional Sidewinder G2 operating characteristics
For example, should someone try to attack a Sidewinder G2 service
(such as sendmail), causing the component to crash, the daemond
process will detect the failure, immediately restart the failed
component, and create a critical event audit entry (allowing the
administrator to be notified and respond to the attack).
daemond starts during the Sidewinder G2 boot process. On start up, it
reads the /etc/sidewinder/daemond.conf file to determine its
configuration options. As a Sidewinder G2 administrator, there are
two daemond options you should be aware of: default memory size
and failure mode.
About the default memory size option
If no memory size is specified for a service in the /etc/server.conf or
/etc/sidewinder/nss.common.conf files, the default memory size option
specifies the size (in MB) that daemond will give each of the services it
starts. The default size is 128 MB. If there is no value present in the
daemond configuration file, it will use the default value from
/etc/login.conf.
About the failure (safe) mode option
By default, daemond will run in its normal mode (that is, failure mode
is not configured and daemond will run in its normal, operational
mode). This means that daemond will attempt to start all enabled
components in the /etc/server.conf and
/etc/sidewinder/nss.common.conf files. When failure mode is enabled
in the /etc/sidewinder/daemond.conf file, and a failure event has
occurred, daemond will start in failure mode (also called safe mode).
This means that daemond will only start the components that are
enabled for failure mode in the /etc/server.conf and
/etc/sidewinder/nss.common.conf files. Components that are NOT
enabled for failure mode will not be started.
Introduction 1-13

1-14 Introduction
Additional Sidewinder G2 operating characteristics
Failure mode is set under any of the following circumstances:
a license check fails
the audit partition overflows
an error occurs while installing a patch
Note: If a patch fails for any reason, the patch process will configure daemond to
start in failure mode. This is done in order to secure the system and provide only
necessary administrator access to the Sidewinder G2.
If you configure a failover High Availability (HA) cluster, the standby
Sidewinder G2 will run in failure mode. If the primary Sidewinder G2
becomes unavailable and the standby is required to take over as the
primary Sidewinder G2, daemond will start all services for that
Sidewinder G2.
If the primary Sidewinder G2 in an HA cluster goes into failure mode
and the secondary/standby Sidewinder G2 is not available, the
primary Sidewinder G2 will remain as the primary Sidewinder G2, but
the priority value for that Sidewinder G2 will change to one, ensuring
that if a secondary/standby Sidewinder G2 becomes available, it can
take over as the primary Sidewinder G2. For information on HA, see
Chapter 16.
daemond and run levels
When running in either normal mode or failure mode, daemond starts
components according to their run level. After each component in a
run level has started, daemond "sleeps" for the run level interval
specified in the /etc/daemond.conf file. After the sleep completes,
daemond starts the components in the next run level. There are five
different run levels. Each run level contains the following
components:
Table 1-2. daemond run levels
Run level Component
0 auditd, auditsql, aclsql, swedesql
1 acld, auditbotd, resolverd, upsd
2 auditdbd, named-unbound, named-internet, randomd
3 nss
4 All remaining proxies and servers. This is also the default run level.

Additional Sidewinder G2 operating characteristics
There are four key components that must be enabled and running
before daemond will successfully boot the Sidewinder G2. These are:
auditd, auditsql, aclsql, and acld.
Whether running in normal or failure mode, daemond will fail to bring
the Sidewinder G2 up completely if any of the following situations
occur:
a configuration file error exists in any of the three files daemond
parses: /etc/daemond.conf, /etc/server.conf, and
/etc/sidewinder/nss.common.conf
the system has not been properly licensed or activated
a key component failed to start up or was not properly enabled
a patch installation failed
If one of these error conditions occur, a message appears notifying
you that your system has booted to failure mode along with the
reason why it booted to failure mode. The reason for the failure will
be logged in /var/log/daemond.log. If none of the above situations
occur, daemond will bring the system up without error.
Once the Sidewinder G2 has finished booting and the system is
operational, daemond becomes responsible for monitoring, stopping
and starting all the components in /etc/server.conf and
/etc/sidewinder/nss.common.conf. While daemond is monitoring the
enabled and running components, it is also responsible for keeping
an instance of that component running.
Restarting processes
If a component dies unexpectedly, daemond will restart that
component and audit the event in both the audit log and the daemond
log. The message in /var/log/daemond.log will look similar to this:
Nov 7 16:05:22 fiji : restarting /usr/libexec/syncd
(2686) due to unexpected death
If a component quits within five seconds of starting three times in a
row, daemond will not attempt to restart it until the next time daemond
rereads its configuration files. This event will also be audited to both
the audit log and the daemond log. The message in /var/log/
daemond.log will look similar to this:
Nov 5 18:13:03 fiji : /usr/contrib/sbin/sshd will
not be restarted due to possible startup errors
Introduction 1-15

1-16 Introduction
Additional Sidewinder G2 operating characteristics
Stopping processes
daemond is also responsible for stopping processes. If a Sidewinder G2
administrator chooses to disable a process (using the Admin Console
or cf commands), the configuration files are changed and a SIGHUP
command is sent to daemond. The SIGHUP command signals daemond
to reread the configuration files. If daemond finds an entry associated
with a currently running process that is now marked as disabled,
daemond will stop that process. The process will not be started again
until it is re-enabled by an administrator. Re-enabling a process will
cause another SIGHUP command to be sent to daemond, which will
reread the configuration files and attempt to restart the process.
All component failure events are logged in the /var/log/daemond.log
file. If daemond fails during system start-up, the daemond log file will
record the reason for this failure. It will also record information each
time daemond restarts a process that died unexpectedly. This is useful
for tracking attacks on a particular component.
Network Services Sentry (NSS)
If you have administered a standard UNIX system, you are probably
familiar with inetd, which manages daemons for network services.
Daemons are server processes that run continuously in the
background and wait until they are needed. On the Sidewinder G2,
inetd has been replaced with the Network Services Sentry (NSS),
which manages most of the server and proxy services. There is an NSS
configuration file for each burb defined on your Sidewinder G2. The
NSS configuration files are updated for you when you make changes
to services. For example, the files are updated whenever you enable
or disable a proxy.
NSS regulation of valid ports for the Admin Console
For the Admin Console and synchronization services, NSS regulates
the ability to change the default port. You may use the Admin Console
or the command line to edit the default ports for these services. For
example, you might want to alter ports when the default conflicts with
the port of another service, or when you want to create a portlist with
non-continuous numbers.

Additional Sidewinder G2 operating characteristics
You can edit the port fields using the Admin Console Firewall
Administration -> UI Access Control window. See “Backing up and
restoring configuration files using the Admin Console” on page 3-15
and “Configuring remote Admin Console management” on page 3-56
for details.
When changing the port for a service, be sure to consider the criteria
listed in Table 1-3 below.
Table 1-3. Criteria for modifying a service port
Port type Criteria
Valid ports must be . . . between 1–65535 when using the Admin
Console, and for all other services
unique within ports assigned to other services
of the same type (server, t_proxy, nt_proxy)
Valid port ranges must be . . . two valid ports separated by a single hyphen
(may be non-continuous)
listed in ascending order
a maximum of 1995 ports
between 1–65535 when using the Admin
Console, and for all other services
unique within ports assigned to other services
of the same type (server, t_proxy, nt_proxy)
Valid portlists must be. . . valid ports and/or valid ranges separated by
spaces
Introduction 1-17

1-18 Introduction
Additional Sidewinder G2 operating characteristics

C HAPTER 2
Administrator’s Overview
About this chapter This chapter provides an overview of the administration options
available to you. This chapter includes the following topics:
“Administration interface options” on page 2-2
“Admin Console basics” on page 2-3
“Admin Console conventions” on page 2-11
“Using the Admin Console File Editor” on page 2-12
“Remote administration using Secure Shell” on page 2-17
“Administering Sidewinder G2 using Telnet” on page 2-24
2
Administrator’s Overview 2-1

2
Administration interface options
Administration
interface options
2-2 Administrator’s Overview
You can manage Sidewinder G2 in one of two ways:
Admin Console—The Administration Console (or Admin Console) is
the graphical software program that runs on a Windows system
within your network. The Admin Console is installed using the
Management Tools CD. This CD also installs the Configuration
Wizard, which is used to create your configuration diskette on a
Windows system. The graphical windows that comprise the Admin
Console allow you to use a mouse and keyboard to configure and
manage Sidewinder G2. (For information on installing the Admin
Console software, see the Sidewinder G2 Startup Guide.)
Note: The Admin Console is occasionally referred to as “cobra” in some command
line tools. For information on using the Admin Console, see “Admin Console basics”
on page 2-3.
command line interface—If you are experienced with UNIX, you can
also use the command line interface to configure and manage
Sidewinder G2. Command line interface refers to any UNIX
prompt. The command line interface supports many Sidewinder
G2-specific commands as well as standard UNIX commands you
can enter at a UNIX prompt. For example, the cf (configurator)
command can perform a wide range of configuration tasks.
Tip: For help using command line interface instead of the Admin Console to manage your
Sidewinder G2, refer to Appendix A. You can also use the extensive manual (man) pages
included on Sidewinder G2. To do so, log in to Sidewinder G2 at a command prompt, type
man followed by the name of a command, and then press Enter.
For most administrative tasks you can use the Admin Console as the
primary Sidewinder G2 interface. If you prefer, you can connect via
SSH or Telnet, and utilize the command line interface to perform
administrative tasks.
Tip: Because it is much easier to administer Sidewinder G2 using the Admin Console
rather than by entering commands, this document focuses on using the Admin Console
whenever possible.
Whether you use the Admin Console or the command line interface,
you can manage Sidewinder G2 from a number of locations. Figure 2-
1 highlights the administration interface options available to you.
Note: Normal administration is possible only when the Operational kernel is booted.
When the Administrative kernel is running, all administration must be done directly on the
Sidewinder G2 by connecting a monitor and keyboard (or laptop).

Figure 2-1. Sidewinder
G2 administration
options
Admin Console
basics
Admin Console
running
on a Windows
workstation
Command line
interface via a
Telnet connection
on a Windows or
UNIX workstation
Sidewinder G2
Internet
Admin Console basics
This section describes how to start the Admin Console, and explains
how to add a new Sidewinder G2. It also provides general guidelines
for using the Admin Console. For information on installing the Admin
Console software on a Windows PC, see the Sidewinder G2 Startup
Guide.
Note: This version of the Admin Console supports backwards compatibility. Therefore, if
you have a current version of the Admin Console installed, you can still connect to a
remote Sidewinder G2 that is running at 6.0.0.00 or higher, and the window will
automatically update to display the earlier version of the Admin Console. You will also
receive online help that is appropriate to the version at which the Sidewinder G2 is
running.
Starting and exiting the Admin Console
Remote Admin
Console or command
line interface via an
SSH connection
To access the Admin Console from a Windows workstation within
your network, the Sidewinder G2 must be configured to allow secure
sessions for the burb in which you will be connecting to the
Sidewinder G2. (This is normally defined during the installation and
configuration process.) For information on enabling administration on
an active Sidewinder G2, see “Configuring remote Admin Console
management” on page 3-56.
Administrator’s Overview 2-3

Admin Console basics
2-4 Administrator’s Overview
Starting the Admin Console
To start the Admin Console on a Windows workstation, do one of the
following:
click the Sidewinder G2 Administration icon
located on the desktop.
select Start -> Programs -> Secure Computing -> Sidewinder G2 Admin
Console 3.0 -> Firewall Admin Console.
If you are starting the Admin Console for the first time, you will need
to add the Sidewinder G2(s) that you want to manage. See “Adding a
Sidewinder G2 to the Admin Console” on page 2-4 for information on
creating a new Sidewinder G2.
Exiting the Admin Console
To exit the Admin Console, do one of the following:
Important: If you have any active connections when you exit the Admin Console, those
connections, as well as any unsaved changes, will be lost. You will not be prompted to save
before exiting.
In the File menu, select Exit.
Simultaneously press Alt+x.
Click the icon in the upper right corner of the Admin Console
window.
Adding a Sidewinder G2 to the Admin Console
Before you can manage a Sidewinder G2 using the Admin Console,
you must first identify it in the Admin Console. Follow the steps
below.
1. In the Admin Console window, click the icon, (or click File -> New
Firewall). The Add Firewall window appears.
2. In the Name field, type a descriptive name for the Sidewinder G2 you are
adding. For example, you might specify the host name you used during
the installation process. Only alphanumeric characters and dashes can
be used; spaces are not allowed.

Figure 2-2. Admin
Console Login window
Admin Console basics
3. In the IP Address field, type the IP address you want to use to access the
Sidewinder G2. The address must be a valid IP address for an interface
on the Sidewinder G2. Also, the interface must be contained within a
burb for which remote administration has been enabled.
To view the current mapping of interfaces and burbs, refer to the
Interface Configuration and UI Access Control windows in the Admin
Console (you can also use ifconfig -a via the command line).
4. Click Add to save the information and exit this window. Each Sidewinder
G2 you add is displayed in the Admin Console tree (in the left portion of
the window).
5. Click on the appropriate icon listed under Firewalls. The properties
appear in the right portion of the window.
6. [Conditional] The Port field displays the default port number (9003) on
which the Sidewinder G2 will listen. You will generally not need to
modify this field.
7. To log in and connect to a Sidewinder G2, see “Connecting to a
Sidewinder G2 via the Admin Console” on page 2-5.
Connecting to a Sidewinder G2 via the Admin Console
To connect to a specific Sidewinder G2, select the appropriate icon
from the Admin Console tree and then click Connect. The login
window appears.
Administrator’s Overview 2-5

Admin Console basics
2-6 Administrator’s Overview
Connecting to a Sidewinder G2
The first time you attempt to connect to a Sidewinder G2 using the
Admin Console, a pop-up window appears presenting you with the
firewall certificate that will be used for all subsequent administrative
connections. To accept the certificate, click Yes.
If you want to verify the certificate before accepting it, you will need
to obtain the certificate fingerprint before you log in to the Admin
Console. To obtain the certificate fingerprint, log into the Sidewinder
G2 via command line and enter the srole command to change to the
admin role. (If you have not configured remote access, you will need
to attach a monitor directly to your Sidewinder G2.) Enter the
following command:
cf cert view fw name=cert_name
The contents of the certificate are displayed. The certificate fingerprint
is located at the bottom of the certificate directly beneath the
END CERTIFICATE identifier. This fingerprint can be used to verify the
fingerprint that is displayed when you initially connect to the
Sidewinder G2 via the Admin Console.
To log in to a Sidewinder G2, follow the steps below.
1. In the Username field, enter your Sidewinder G2 user name.
2. In the Authentication Method drop-down list, select the appropriate
authentication method for the Sidewinder G2 to which you are
connecting.
Valid options include a simple password or a more sophisticated
method such as SafeWord, SecurID, SNK, RADIUS, LDAP or Microsoft NT.
Note: All methods other than the password method require access to a separate
authentication server.
3. Click OK. An authentication window appears. Enter the appropriate
response, and then click OK. When you connect for the first time, the
Feature Notification window appears displaying the status of each
licensed feature.

Figure 2-3. Feature
Notification window
Admin Console basics
Note: If you do not want this window to appear each time you connect, select the
Don’t show this again check box.
4. When you are finished viewing the window, click Close.
The main Admin Console window appears. (See “About the main
Admin Console window” on page 2-8 for information on using the main
Admin Console window.)
Note: For an overview of the tasks you can perform using the Admin Console, see
“Admin Console conventions” on page 2-11.
Disconnecting from the Sidewinder G2 via the Admin Console
To end an Admin Console session for a Sidewinder G2, do one of the
following:
Right-click on the Sidewinder G2 icon, and select Disconnect from
the menu that appears.
Select the Sidewinder G2 icon, and click Disconnect in the main
Admin Console window.
Administrator’s Overview 2-7

Admin Console basics
Figure 2-4. Main Admin
Console menu
Main Admin Console
window
2-8 Administrator’s Overview
About the main Admin Console window
When you start the Admin Console and connect to a Sidewinder G2, a
window similar to the following appears.
From this window you can connect to and manage one or more
Sidewinder G2s.
Admin Console windows are divided into three areas: top, left, and
right, as described in the sections below.

About the top portion of the Admin Console window
Admin Console basics
The top portion of the Admin Console window contains five icons
that represent various shortcut actions, shown in the table below.
Click this icon to add a Sidewinder G2 that you can manage
using the Admin Console. For more information on adding a
new Sidewinder G2, see “Adding a Sidewinder G2 to the Admin
Console” on page 2-4.
Click this icon to save changes you make in the Admin Console
to the Sidewinder G2.
Click this icon to cancel (or ‘rollback’) any unsaved changes in the
Admin Console.
Click this icon to refresh (or update) the screen.
Click this icon to launch the State Change Wizard. (If you are
connected to an HA or One-To-Many cluster, clicking this button
will take you to the appropriate cluster management window.)
Click this icon to access context-sensitive online help for the
current Admin Console window that is displayed.
The top portion of the window also contains the following menu
options.
File—The following options are available under this menu:
— New Firewall: Add a Sidewinder G2 that can be managed using
the Admin Console.
— Exit: Exit the Admin Console application.
Help—The following options are available under this menu:
— Context-sensitive Help: Display specific information for an
Admin Console window. The title for this option correlates to
the specific window for which you will receive help.
— About Help: Display information about the current version of
the Admin Console software.
Administrator’s Overview 2-9

Admin Console basics
2-10 Administrator’s Overview
About the left portion of the Admin Console window
The left portion of the window contains the Admin Console tree. The
Admin Console tree is not active unless you are connected to a
Sidewinder G2. Once you are connected to a specific Sidewinder G2,
you can click on any of the items in the Admin Console tree to
manage that area of your Sidewinder G2.
You can also right-click on a Sidewinder G2 in the Admin Console
tree to perform the following actions:
expand or collapse the branch items beneath a Sidewinder G2
icon
delete a Sidewinder G2 from the Admin Console
connect or disconnect a Sidewinder G2 from the Admin Console
The lower left portion of the Admin Console provides a History
button that displays regarding a feature’s history.
About the right portion of the Admin Console window
The right portion of the Admin Console window initially displays
configuration information for the Sidewinder G2 to which you are
currently connected, as follows:
Name—Defines the name of the Sidewinder G2 to which you are
connected.
IP Address—Identifies the IP address of the Sidewinder G2 to which
you are connected.
Port—Identifies the port number that will be used to connect to
the Sidewinder G2.
Version—This is a read-only field that displays the current
Sidewinder G2 version after connecting to the Sidewinder G2.
Sidewinder G2 State—This is a read-only field that displays the
current Sidewinder G2 state (whether it is a standalone, part of an
HA or One-To-Many cluster, or part of an enterprise managed
environment).

Admin Console
conventions
Admin Console conventions
State Change Wizard—This button launches the State Change
Wizard. The State Change Wizard allows you to do the following
(options vary depending on the current state):
— Create or join a High Availability cluster.
— Create or join a One-To-Many cluster.
— Become part of an enterprise managed environment.
— Revert to a standalone.
Connect/Disconnect—Establishes or breaks a connection with the
selected Sidewinder G2.
Note: When you click on the different areas of the Admin Console tree, this portion of the
window changes to display information specific to that area.
When using the Admin Console, the following conventions and tips
will help you avoid common mistakes:
To filter a table based on the contents of a single column, right
click on a column heading and select the filter criteria for which
you want to filter. (To customize a filter, select the Custom Filter
option.) To view all items in a table, select the No Filter option.
You can also reverse the order of the table within a column by
clicking the appropriate column heading. To return the table to its
original order, click the column heading a second time.
— Right–click a column heading and use the Filter By option to
filter on a particular item or create a custom filter.
— Click the appropriate column heading to sort rules by a
particular field (column). Click the heading a second time to
sort the list in reverse order. You can select an item to modify
from a list by double clicking on it or by clicking on it once to
highlight it, and then clicking Modify.
When a box preceding an option is filled in or contains a check
mark, it is enabled or selected. When the box is empty (a check
mark does not appear), the option is disabled.
On some windows, you need to use the scroll bar to view all of
the information or options.
In the Rules window, you can reposition rules and groups by
clicking and dragging an entry to a new location.
Administrator’s Overview 2-11

Using the Admin Console File Editor
Using the Admin
Console File Editor
2-12 Administrator’s Overview
To delete an item from a list or table in an Admin Console
window, click on the item to select it, and then click Delete.
When you leave a window that you have modified, you will
automatically be prompted to save your changes before you exit
the window. You can also save your modifications at any time by
clicking the Save icon in the toolbar (or an OK button for some
pop-up windows).
When you exit a window and do not want to save your changes,
click No when prompted to save your changes. You can also
cancel your changes at any time by clicking the Rollback icon (or
the Cancel button in some windows) to restore the current
window’s settings to the last saved version.
For assistance on any of the Admin Console windows, click the
Help icon located in the top portion of the window. The online
help provides information about each of the Admin Console
windows. To view the entire list of available help topics, click the
TOC button from within the help system.
While administering Sidewinder G2, you may find it necessary to
modify a text file or a configuration file. Although the typical UNIX
editors are available for you to use (vi, emacs, and pico), you may
find it easier to use the File Editor provided with the Admin Console.
The File Editor is an easy-to-use editor that is available directly from
the Admin Console. The File Editor simplifies the editing process,
enabling you to perform virtually every necessary editing task from
the Admin Console instead of using a command line.
The File Editor also provides some additional conveniences such as
unique file backup and restore features. (Of course, UNIX aficionados
are still welcome to use the editor of their choice if they prefer.) In
addition, using the File Editor through the Admin Console provides a
secure connection.
To access the File Editor, log in to the Admin Console, select File
Editor, and then click Start File Editor. The following window appears:

Figure 2-5. File Editor
window
About the File Editor
window
Using the Admin Console File Editor
The File Editor window contains three different menu options.
File—This menu contains the basic action options. Use it to open
new or existing files, and to save files. The File menu also provides
two unique capabilities: it enables you to create a backup copy of
a file, and it enables you to restore a file from a previously saved
backup copy. See “Creating a backup file in the File Editor” on
page 2-14 and “Restoring a file” on page 2-15 for details.
Edit—This menu enables you to perform typical functions such as
cutting, copying, pasting, and finding/replacing text. See “Using
the Find/Replace option” on page 2-16 for information on finding
and replacing text.
Help—The following options are available under this menu:
— File Editor Help: Displays specific information for the File Editor
window.
— About Help: Displays information about the current version of
the Admin Console software.
Opening and saving files in the File Editor
When you select File -> Open or File -> Save As a window similar to the
following appears.
Administrator’s Overview 2-13

Using the Admin Console File Editor
Figure 2-6. Open File
window
Opening or saving a file
using File Editor window
2-14 Administrator’s Overview
To open or save a file, follow the steps below.
1. [Conditional] In the Source field, specify where the source is located. The
options are:
Local File—Indicates the file is located on the local Windows
workstation or on a network connected to the workstation.
Firewall File—Indicates the file is located on the Sidewinder G2.
2. In the File field, type the full path name of the file.
If you do not know the full path name, click Browse to browse the
available directories. When you locate the file, click OK. The file name
appears in the File field.
3. Click OK to open or save the file, or click Cancel to cancel the request.
Creating a backup file in the File Editor
When modifying the Sidewinder G2 configuration files, it is normally
a good practice to create a backup copy of the file before you begin
editing the file. That way, if you make a mistake while editing the file
you have the option to revert to the original file. The File Editor
provides an easy method for creating a backup copy of a file. You can
even make a backup after you begin modifying a file. The key is to
create the backup before you save your changes. Once you save your
changes you will not be able to create a backup file that mirrors the
original file.
To make a backup copy of a file, open the file with the File Editor, then
select File -> Backup. The following window appears:

Figure 2-7. Backup File
window
Entering information on the
Backup File window
Figure 2-8. Restore
window
Entering information in the
Restore File window
Using the Admin Console File Editor
To make a backup copy of the last saved version of the file currently
open within the File Editor, follow the steps below.
1. In the Name of Backup File field, specify a name for the backup file. By
default, the file is given the same name as the original file but with a
.bak extension.
The backup file will be created in the directory listed in the Current
Directory field. This is the directory in which the original file currently
resides, and cannot be modified.
2. Click OK to save the information and exit the window, or click Cancel to
exit the window without saving the backup file.
Restoring a file
In order to restore a file, the file must be open within the File Editor.
Select File -> Restore and the following window appears.
This window enables you to restore a file to its original contents. You
can do this only if you have previously created a backup copy of the
file. Follow the steps below.
1. In the Restore From File field, specify the name of the backup file to use
when restoring the file to its original condition. If you do not know the
name of the backup file, click Select to browse the available files. When
you locate the file, click Open. The file name appears in the Restore From
File field.
Administrator’s Overview 2-15

Using the Admin Console File Editor
Figure 2-9. Find/Replace
window
Entering information on the
Find/Replace window
2-16 Administrator’s Overview
Note: If a backup file exists, it will appear in the same directory as the current file,
because you are only allowed to create a backup in the same directory. The Current
Directory field displays the name of that directory and cannot be modified.
2. Click OK to save the information and exit the window, or click Cancel to
exit the window without saving the backup file.
Using the Find/Replace option
You can use the Find/Replace option on the Edit menu to perform
advanced editing of files. To use the Find/Replace option, select
Edit -> Find/Replace. The following window appears.
This window enables you to locate a character string within the file
and to replace the character string with a different character string.
Follow the steps below.
1. In the Find what field, specify the character string you want to search for
within the file.
2. [Optional] If you want to replace the character string specified in the
Find what field with a different character string, type the new string in
the Replace with field.
3. In the Search field, specify which direction in the file the search should
be performed. There are two options:
Down—From your current position within the file, the File Editor
will search down (forward) in the file for the specified character
string.
Up—From your current position within the file, the File Editor will
search up (backward) in the file for the specified character string.

Remote
administration
using Secure Shell
Remote administration using Secure Shell
4. In the Case field, specify whether the File Editor should find any
matching character string, or if it should consider upper and lower case
when performing the search. There are two options:
Match—Find only those character strings that exactly match the
case as specified in the Find what field.
Ignore—Find all matching character strings regardless of upper
and lower case.
5. Click Find Next to initiate the character search and to locate the next
occurrence within the file.
6. [Optional] If the character search locates a match, you can click Replace
to replace the found character string with the character string specified
in the Replace with field. To replace all occurrences of the character
string, click Replace All. An Info window will appear indicating how
many times the character string was replaced. Click OK to close the Info
window.
7. To find additional occurrences of the character string, continue to click
Find Next for each occurrence. When there are no additional
occurrences, a message will appear telling you that the search is
complete.
8. When you are finished searching, click Close to exit this window.
Secure Shell (SSH) provides secure encrypted communication
between two hosts over an insecure network, allowing you to
remotely manage your Sidewinder G2. This section describes how to
configure and use the Sidewinder G2 as an SSH server and/or an SSH
client.
Note: The procedures covered in the following sections are based on openssh version
3.0.2p1. It provides support for SSH version 1.5 and 2.0 sessions.
Configuring the Sidewinder G2 as an SSH server
On the Sidewinder G2, SSH is typically used by administrators to log
in to the Sidewinder G2 securely from a remote machine. In this case
the Sidewinder G2 acts as the SSH server.
Administrator’s Overview 2-17

Remote administration using Secure Shell
2-18 Administrator’s Overview
When configuring the SSH server you have the option to use
RSA/DSA authentication. If you use RSA/DSA authentication, the
authentication is accomplished via an exchange of public and private
keys between the server and the client. The downside of RSA/DSA
authentication is that it requires a bit more of an administrative effort.
If you elect NOT to use RSA/DSA authentication, the SSH clients must
enter their Sidewinder G2 user name and authentication information
when initiating the SSH connection.
The following sub-sections provide specific information on
configuring the Sidewinder G2 as an SSH server using RSA or DSA
authentication, as well as general information on configuring the SSH
server.
Configuring SSH when not using RSA/DSA authentication
If you are not using RSA/DSA authentication, follow the steps below
to configure SSH.
1. In the Admin Console, select Services Configuration -> Servers.
2. Select sshd in the list of server names, and click the Configuration tab.
3. Ensure that the Allow RSA Authentication field is disabled.
Rather than using RSA authentication, each client will be required to log
in using their Sidewinder G2 user name and authentication information.
4. Click the Control tab.
5. Enable the SSH server in the desired burbs, then click the Save icon.
6. [Conditional] If a Host Key Pair does not exist, you will be prompted by
the Admin Console to confirm that the Admin Console will create an
SSH host key. Click Yes.
7. Configure and enable the authentication method you want to use to
authenticate SSH sessions. See Chapter 9 for information.
8. Create an SSHD rule that allows SSH clients to log into this Sidewinder
G2 using SSH.
In the rule, select the following options: Service Type= server,
Service = sshd. You will also need to select the authentication method
you enabled in step 7. See “Creating proxy rules” on page 7-4 for
information on creating a proxy rule using the Admin Console.
Note: If the client has previously established an SSH connection to the Sidewinder
G2, the information associated with the previous connection must be deleted from
the client.

Remote administration using Secure Shell
The Sidewinder G2 is now ready to accept SSH connection requests.
Remember that a client must have an administrator account on the
Sidewinder G2 in order to log in.
Configuring SSH when using RSA authentication
If you are using RSA authentication to configure SSH, follow the steps
below.
1. Connect to the Sidewinder G2.
2. Select Services Configuration -> Servers.
3. Select sshd in the list of server names, and click the Configuration tab.
4. Enable the Allow RSA Authentication field.
5. If you do not currently have an SSH host key pair, click on Generate New
Host Key. Click OK to acknowledge that the new key pair has been
created.
You must have at least one SSH host key pair for the SSH daemon to
operate. If you have an existing key pair, you do not need to create a
new one. The host key pairs are stored in the /etc/ssh directory and have
the following filenames:
ssh_host_key
ssh_host_key.pub
ssh_host_rsa_key
ssh_host_rsa_key.pub
ssh_host_dsa_key
ssh_host_dsa_key.pub
6. Click the Control tab.
SSH version 1.5 rsa private key
SSH version 1.5 rsa public key
SSH version 2.0 rsa private key
SSH version 2.0 rsa public key
SSH version 2.0 dsa private key
SSH version 2.0 dsa public key
7. Enable the SSH server in the desired burbs, and then click the Save icon.
8. From a command line prompt, create a subdirectory named /.ssh in
each administrator’s home directory.
Example: If an administrator named lloyd has a home directory named
/home/lloyd, create the /.ssh subdirectory by typing the following
commands:
Administrator’s Overview 2-19

Remote administration using Secure Shell
2-20 Administrator’s Overview
Note: If you are a read-only administrator, type srole AdmnRO in place of srole.
srole
cd /home/lloyd
mkdir .ssh
9. Use a text editor to create a file named authorized_keys in each
administrator’s /.ssh directory.
Do this using the File Editor provided in the Admin Console, or your
favorite UNIX editor.
10. Paste each user’s public key into the respective authorized_keys file.
The method you use to get the public keys onto the Sidewinder G2 is
up to you. You might use FTP, or you might copy/paste from one
window to another.
11. Create an SSHd rule that allows SSH clients to log into this Sidewinder
G2 using SSH. See “Creating proxy rules” on page 7-4 for information on
creating a rule using the Admin Console.
The Sidewinder G2 is now ready to accept connections from SSH
clients. Remember that an administrator must have an account on the
Sidewinder G2 in order to log in.
Configuring and using the Sidewinder G2 as an SSH
client
It is also possible for the Sidewinder G2 to act as an SSH client. For
example, you might want to establish an SSH connection between
two Sidewinder G2s. In this case one Sidewinder G2 operates as the
server (via the SSH daemon), and the other operates as an SSH client.
You have the option to use RSA authentication with the SSH client.
Note: On non-Sidewinder G2 systems, an SSH client that is run from root will bind to a
reserved port. As a security feature, the Sidewinder G2 SSH client is not allowed to bind to a
reserved port. This is prevented by Type Enforcement.
If not using RSA authentication
There is nothing to configure on the Sidewinder G2 if you are not
using RSA authentication. To use the Sidewinder G2 as an SSH client,
follow the steps below:

Remote administration using Secure Shell
1. Log in to the Sidewinder G2 and type the following command to switch
to the Admn domain.
srole
Note: If you are a read-only administrator, enter srole AdmnRO.
2. Establish the connection with the SSH server by typing one of the
following commands.
ssh login_name address
or
ssh login_name@address
where:
login_name = the name used when logging onto the SSH server.
address = the address of the host with which you are establishing an
SSH connection.
Note: You have the option to use an authentication method other than the default
method when connecting to another Sidewinder G2. Type a colon and the name of
the authentication method after the login_name field. For example, to use
SafeWord you would type:
ssh login_name:safeword address
If using RSA authentication
To use the Sidewinder G2 as an SSH client while using RSA
authentication, you must perform several configuration steps before
initiating the SSH connection.
Configuring the Sidewinder G2 as an SSH client
1. Connect to the Sidewinder G2.
2. Select Services Configuration -> Servers.
3. Highlight sshd in the list of server names, then click the Configuration
tab.
4. Click Generate New Client Key to generate a public and private key pair
that the Sidewinder G2 can use when acting as an SSH client.
Note: The Sidewinder G2 SSH client public and private keys are created in the
/home/username/.ssh directory, where username = the user name you used when
connecting to the Admin Console. The client key file names are identity.pub and
identity, respectively.
Administrator’s Overview 2-21

Remote administration using Secure Shell
2-22 Administrator’s Overview
5. [Conditional] If the SSH server that you will be connecting to is another
Sidewinder G2, connect to that Sidewinder G2 using the Admin
Console at this time.
If needed, click the New Firewall button in the top portion of the Admin
Console and add the other Sidewinder G2(s) to the list of Sidewinder
G2s you can administer.
6. If the SSH server that you will be connecting to is another Sidewinder
G2, click Export Client Key to export the public client key to the other
Sidewinder G2(s). Otherwise, use the best available method (FTP, cut
and paste, etc.) to export the public client key to the SSH server.
7. Select the Sidewinder G2 to export to, and click OK.
Using the Sidewinder G2 as an SSH client
1. At a Sidewinder G2 command prompt, enter the following command
to switch to the admn role:
srole
Note: If you are a read-only administrator, enter srole AdmnRO.
2. Establish the connection with the SSH server by typing the following
command.
ssh -l login_name -o "RSAAuthentication yes" address
where:
login_name = the user name used when logging onto the SSH server
address = the address of the host with which you are establishing an
SSH connection
See the ssh man page for more details.
On the Sidewinder G2, the SSH client must be run from the Admn
domain. Many SSH daemons, however, do not allow root users to
connect to the SSH daemon. To get around this, be sure to use the -l
option when logging in. This allows you to login as a different user.
Configuring the SSH Admin Console windows
SSH is configured from the Admin Console by selecting Services
Configuration -> Servers. Select sshd from the list of servers. Select the
appropriate check box(es) to enable the server for one or more burbs.
To configure the SSH server, select the Configuration tab. The following
window appears:

Figure 2-10. sshd Server
Configuration tab
Configuring the sshd Server
Configuration tab
Remote administration using Secure Shell
The SSH Server Configuration tab enables you to generate host and
client keys, and to specify whether RSA authentication is allowed.
Follow the steps below.
1. If you want to allow SSH connections to be authenticated using RSA
authentication, select the Allow RSA Authentication check box.
RSA authentication is a common encryption and authentication system
that uses an exchange of public and private keys between the server
and the client. It is based on the RSA algorithm. If this check box is not
enabled, all SSH connections must be authenticated using a password.
2. To generate an SSH host authentication key that will be used when the
Sidewinder G2 is acting as the server in an SSH connection, click
Generate New Host Key.
Note: When you click Generate New Host Key, the system will automatically
generate the following three authentication keys: RSA1, RSA, and DSA.
3. To generate the SSH version 1.5 client authentication key that will be
used when the Sidewinder G2 is acting as a client in an SSH connection,
click Generate New Client Key.
4. [Conditional] To export the client key to another Sidewinder G2, click
Export Client Key. You can only export the client key if one has been
generated and if you have an active Admin Console connection with
one or more additional Sidewinder G2s (the Sidewinder G2[s] that will
act as the SSH server).
5. Click the Save icon to save your changes.
Administrator’s Overview 2-23

Administering Sidewinder G2 using Telnet
Configuring the Export
Client Key window
Administering
Sidewinder G2
using Telnet
2-24 Administrator’s Overview
The Export Client Key window is used to select the Sidewinder G2(s)
to which you want to export the public client key. After selecting the
desired Sidewinder G2(s), click OK to initiate the export process.
Note: The SSH Admin Console windows currently support SSH version 1.5 session
configurations. If you are using SSH version 2.0, you must manually generate the Client Key
Pairs using a command line interface.
Tips on using SSH with Sidewinder G2
Please note the following information about SSH on the Sidewinder
G2.
There are two configuration files associated with SSH:
— For the SSH daemon: /etc/sshd_config
— For the SSH client: /etc/ssh_config
See the ssh, sshd, and ssh-keygen man pages for additional details.
The Sidewinder G2's SSH daemon and client are based on the
openssh implementation. See http://www.openssh.com for more
information.
If you prefer to administer Sidewinder G2 using a command line
interface rather than the Admin Console, you can configure Telnet
services that allow you to provide administration from a system within
your network. You can also allow trusted users to use a Telnet client
to log in to Internet systems remotely.
Setting up an internal (trusted) Telnet server
Telnet provides a way to log in to a system in your network from
another system. All you need to know is the name of the system in
which you want to log in. Once you have established a connection,
you are logged in just as you would be if you were physically located
at that system.
A Telnet server is defined for each burb on your Sidewinder G2: one
for the external (Internet) burb and one for each of the internal (or
trusted) burbs. This gives you the capability to Telnet to the
Sidewinder G2 from any system on an internal burb so you can
perform administrative tasks remotely.
Note: For security reasons, the Telnet servers are not initially enabled.

Administering Sidewinder G2 using Telnet
To access the trusted Telnet server, follow the steps below:
1. Create a proxy rule that allows access to the Telnet server and add it to
the active rule group. See “Creating proxy rules” on page 7-4.
2. Enable the Telnet server as follows:
a. Select Services Configuration -> Servers.
b. Select telnet from the list of server names.
c. Select the burb(s) in which you want the Telnet server to be
enabled. A check mark appears when the server is enabled for a
burb.
d. Click the Save icon in the toolbar.
Important: All users accessing a Telnet server must be authenticated. If the proxy
rule that allows entry for a Telnet connection does not specify authentication, users
will not be able to log in.
To perform Sidewinder G2 administration tasks, you must have an
account on the Sidewinder G2 as described on “Setting up and
maintaining administrator accounts” on page 3-5. Aside from your
account and authentication information, all you need to log in to the
Sidewinder G2 is the name. To log in to the Sidewinder G2 using
Telnet, see “Connecting to the Sidewinder G2 using Telnet” on page
2-26.
Setting up an external Telnet server
The Sidewinder G2 allows you to enable an external Telnet server. An
external server resides on the external network side of the Sidewinder
G2, and is available to Internet users once you set up the appropriate
“allow” proxy rules and add them to the active rule group. (The other
Telnet servers reside on the internal side of the Sidewinder G2 and are
available only to trusted users.)
Security Alert: Setting up a Telnet server on the external side of your Sidewinder G2
can raise security issues—contact Secure Computing Customer Support before
attempting this.
Administrator’s Overview 2-25

Administering Sidewinder G2 using Telnet
2-26 Administrator’s Overview
Connecting to the Sidewinder G2 using Telnet
Note: You must enable the Telnet server in the appropriate burb(s) before you will be
allowed to Telnet. See “Setting up an internal (trusted) Telnet server” on page 2-24.
1. Telnet to the Sidewinder G2 and log in by typing the following
command, using your Sidewinder G2 host name.
telnet hostname
When prompted, enter your Sidewinder G2 authentication information.
Depending on the authentication method configured for you on the
Sidewinder G2, you must now provide a valid password or a special
passcode or personal identification number (PIN) before you are logged
on to the Sidewinder G2.
2. Enter the following command:
srole
Note: To change to the AdmnRO domain, enter srole AdmnRO.
Enter commands from the UNIX prompt as required. Refer to
Appendix A or the man pages for information on using individual
commands.

C HAPTER 3
General System Tasks
About this chapter This chapter contains information on performing basic Sidewinder G2
procedures such as setting up administrator accounts, setting the date
and time, and saving system configuration information. This chapter
includes the following topics:
“Restarting or shutting down the system” on page 3-2
“Setting up and maintaining administrator accounts” on page 3-5
“Changing passwords” on page 3-9
“Setting the system date and time” on page 3-9
“Using system roles to access type enforced domains” on page 3-
11
“Configuration file backup and restore” on page 3-13
“Activating the Sidewinder G2 license” on page 3-19
“Protected host licensing and the Host Enrollment List” on page 3-
27
“Enabling and disabling servers” on page 3-30
“Configuring the synchronization server” on page 3-33
“Configuring scanning services” on page 3-34
“Configuring the shund server” on page 3-39
“Loading and installing patches” on page 3-41
“Modifying the burb configuration” on page 3-48
“Modifying the interface configuration” on page 3-50
“Modifying the static route” on page 3-54
“Configuring remote Admin Console management” on page 3-56
“Enabling and disabling multi-processor mode” on page 3-57
“Configuring the Sidewinder G2 to use a UPS” on page 3-58
3
General System Tasks 3-1

3
Restarting or shutting down the system
Restarting or
shutting down the
system
3-2 General System Tasks
You can boot the Sidewinder G2 to start up in one of two kernels:
Operational or Administrative (see “Sidewinder G2 kernels” on page
1-4 for descriptions of each kernel). This section describes how to
power up the Sidewinder G2 to the Operational kernel when the
Sidewinder G2 is powered off, and how to reboot or shut down the
system when the Sidewinder G2 is running.
Important: The Administrative kernel is used only when an administrator needs to
perform special tasks (such as installing software or restoring Sidewinder G2 software
from a backup tape), or under certain circumstances for troubleshooting purposes. For
information on powering on the system in the Administrative kernel, see “Powering-up the
system to the Administrative kernel” on page F-2.
When you power up the Sidewinder G2, it will boot to the
Operational kernel by default. You can perform the same tasks in the
Operational kernel as you can in the Administrative kernel. However,
you will almost always run the Sidewinder G2 in the Operational
kernel, unless you need to perform a full system backup or restore, or
to install hardware or software. All procedures that require the
Administrative kernel are discussed in Appendix F “Basic
Troubleshooting”.
The procedures to power-up, reboot, or shut down the Sidewinder G2
in the Operational kernel are described in the following subsections.
Important: When the Sidewinder G2 is rebooted or shutdown, a record of who issued
the action is logged in the /var/log/messages file. This applies to a reboot or shutdown
issued from the Admin Console or using the shutdown command.
Powering-on the system to the Operational kernel
Note: For information on powering-on the system to the Administrative kernel, see
“Powering-up the system to the Administrative kernel” on page F-2.
Because the Operational kernel is the default kernel, you can boot
your Sidewinder G2 to the Operational kernel by pressing the power
button. Once the system has booted, you can start the Admin Console
and log in to your Sidewinder G2. Once you are logged in, you can
perform the Operational kernel tasks described in this manual.
Note: If the boot process fails, see “What to do if the boot process fails” on page F-16.

Figure 3-1. System
Shutdown window
Entering information on the
System Shutdown window
.
Restarting or shutting down the system
Rebooting or shutting down using the Admin Console
The following procedure allows you to reboot or shut down the
system using the Admin Console.
In the Admin Console, select Firewall Administration -> System Shutdown.
The following window appears.
This window is used to either reboot the Sidewinder G2 or to shut
down the system completely. Follow the steps below.
1. In the Shutdown Options area, select the action you want to perform:
Reboot to Operational Kernel—Restarts the system in the
Operational kernel.
Reboot to Administrative Kernel—Restarts the system in the
Administrative kernel and displays the # prompt at the Sidewinder
G2, indicating that you are in a login shell and can start issuing
Sidewinder G2 or UNIX commands. (You will be prompted to
mount the file systems.)
Important: You must connect a keyboard and monitor to the Sidewinder G2
before you can administer the system in the Administrative kernel. See “Powering-up
the system to the Administrative kernel” on page F-2 for more information.
Halt System—Shuts down the Sidewinder G2 software without
restarting. Run this command before you move your Sidewinder
G2 to a new location or make hardware changes.
General System Tasks 3-3

Restarting or shutting down the system
3-4 General System Tasks
2. [Optional] If you want a shutdown message to appear informing users
of a pending shutdown, type the message text in the Shutdown
Message field.
3. In the Shutdown Time field, select the shutdown time from the
following options.
Immediately—The system will shutdown immediately when you
click Execute Shutdown.
Delay Shutdown for—The shutdown will be delayed for the
amount of time specified in the Hours and Minutes fields. You can
enter values in these fields that will delay the shutdown for up to
24 hours and 59 minutes.
4. Click Execute Shutdown to implement the shutdown.
Note: Any connections to the Admin Console will be lost when the Sidewinder G2
shuts down. New connections to the Sidewinder G2 will not be allowed once the
shutdown process has been executed.
Rebooting or shutting down using a command line
interface
Enter one of the following shutdown commands to reboot or
shutdown the system from a command line interface. The shutdown
process for a Sidewinder G2 that belongs to an HA cluster is slightly
different. See “Scheduling a soft shutdown for an HA cluster
Sidewinder G2” on page 16-27 for information on shutting down a
Sidewinder G2 that belongs to an HA cluster.
Note: To view the options to specify when the Sidewinder G2 will shutdown or reboot,
type man shutdown and press Enter.
To restart the system in the Operational kernel, enter the following
command at a Sidewinder G2 command prompt:
shutdown -r time_in_minutes
To restart the system to the Administrative kernel, enter the following
command at a Sidewinder G2 command prompt:
shutdown -g time_in_minutes
Important: You must connect a keyboard and monitor to the Sidewinder G2 before you
can administer the system in the Administrative kernel. See “Powering-up the system to the
Administrative kernel” on page F-2 for details.

Setting up and
maintaining
administrator
accounts
Setting up and maintaining administrator accounts
To shut down the Sidewinder G2 without restarting, enter the
following command at a Sidewinder G2 command prompt:
shutdown -h time_in_minutes
Each Sidewinder G2 administrator must have an account created on
the system. When you installed your Sidewinder G2, you created an
initial administrator account by entering a login name and password.
This section describes how to set up and maintain Sidewinder G2
accounts for other administrators.
Note: Only administrators have accounts directly on the Sidewinder G2. People who use
Sidewinder G2 networking services have “user” (or network login) accounts, not
Sidewinder G2 administrator accounts. See “Creating users and user groups” on page 5-1
for information on creating non-administrative user accounts.
When you add an administrator account, you will also assign the new
administrator a role. The following table describes the available
administrator roles.
Table 3-1. Administrator roles
Role Authorized to:
admin Access all windows, menus, and commands within the
Admin Console.
Add and remove users and assign roles.
Do incremental back-ups and restore the system. (Full
back-ups and restores are done in the Administrative
kernel.)
Use all other system functions and commands.
adminro Read access to all windows, menus, and commands within
the Admin Console (including monitoring, reporting, and
auditing). This role is generally used as an auditor role.
Use the following process to add, edit, or delete administrator account
information or change role assignments.
Start the Admin Console and select Firewall Administration -> Firewall
Accounts. A window similar to the following appears.
General System Tasks 3-5

Setting up and maintaining administrator accounts
About the Firewall
Accounts window
Figure 3-2.
Firewall Accounts
window
3-6 General System Tasks
This window displays the administrator accounts currently established
on the Sidewinder G2. Each row in the table defines one user
account, and contains the following information:
Username—This column identifies the name used by each
administrator when logging into the Sidewinder G2.
Full Name—This column identifies the full name of each user.
Role—This column identifies the authorized role for each user.
Directory—This column identifies the home directory path that is
created for that user.
You can also specify the following information, which applies to all
user accounts:
Delete home directory upon deletion of user—Select this check box to
configure the Sidewinder G2 to automatically delete a user’s home
directory if a user’s account is deleted from the system.
Administrator Authentication Default Method—Select the default
authentication method that will be used by administrators to log
in to the Sidewinder G2.
Note: This is different from the default authentication method that is specified
within individual proxy rules, which are only for proxy users.

Figure 3-3.
Administrator
Information tab
Setting up and maintaining administrator accounts
To create or modify a user account, click New or Modify, and see
“Adding or modifying an administrator account” on page 3-7 for
details.
To delete a user account, highlight the user account you want to
delete and click Delete. A confirmation message appears. Select Yes to
delete the account or No to cancel. (When you delete an administrator
account, the user database entry for that administrator is also
removed.)
Adding or modifying an administrator account
When you click New or Modify in the Firewall Accounts window, the
following window appears.
Note: The information shown in the Firewall Accounts window is stored in the
/etc/sidewinder/roles.conf file.
General System Tasks 3-7

Setting up and maintaining administrator accounts
Entering information on the
Firewall Accounts - New/
Modify window
3-8 General System Tasks
To create a new Sidewinder G2 administrator account or to modify an
existing account, follow the steps below.
1. In the Username field, type the user name for the administrator. The
name can consist of up to 16 alpha-numeric characters. However, a user
name must begin with an alphabetic character.
Important: Do NOT use uppercase characters in the username field, because
sendmail will automatically convert the user name to lowercase before mail is
delivered. Therefore, any mail addressed to a username that contains uppercase
characters will not be forwarded.
Note: If you are editing an existing account, you cannot change the user name.
2. In the Password field, type a password for this administrator. This is the
password the administrator must enter when logging into the
Sidewinder G2. Use the following guidelines to create a strong
password:
Use passwords that are at least 7 or 8 characters in length.
Use a mix of upper and lowercase letters, and non-alphabetic
characters such as symbols and numbers.
Do not use any easily guessed words or words found in a
dictionary, including foreign languages.
Note: If you are modifying the account, the encrypted password is displayed in this
field.
3. [Optional] In the Full Name field, type the full name of the administrator.
4. [Optional] In the Office field, type the office address of the administrator.
5. [Optional] In the Office Phone field, type the office phone number of the
administrator.
6. [Optional] In the Home Phone field, type the home phone number of
the administrator.
7. In the Directory field, specify the home directory for this administrator.
The default value for this field is /home/username. (This field can only
be modified if you are creating a new administrator account.)
8. In the Login Shell drop-down list, specify the UNIX shell that will be used
when this administrator logs in.

Changing
passwords
Setting the system
date and time
Changing passwords
9. In the Roles drop-down list, select the authorized role for this
administrator.
admin—Select this option if you want the user to have
administrator privileges for all areas on the Sidewinder G2.
adminro—Select this option to allow read privileges only. This role
will allow an administrator to view all system information, as well as
create and run audit reports. An administrator with read-only
privileges cannot commit changes to any area of the Sidewinder
G2.
10. Click Add to save the changes (or OK if modifying an account), or click
Cancel to exit the window without saving the changes.
To change an administrator account password (also known as a UNIX
account password), do the following:
Note: If you forget your password, you can still access the administrative kernel to change
your password. See “If you forget your administrator password” on page F-19.
1. In the Admin Console, select Firewall Administration -> Firewall
Accounts. The Administrator Accounts window appears.
2. Click on the administrator account whose password you want to
change, then click Modify. The Firewall Accounts: Modify window
appears.
3. In the Password field, enter the new administrator account password.
4. Click OK.
Use the following procedures to check the Sidewinder G2 system
clock or change the system clock from the Admin Console.
Viewing/changing the date and time
To check and/or change the system date and time settings, start the
Admin Console and select Firewall Administration -> Date and Time. The
Date and Time window appears.
General System Tasks 3-9

Setting the system date and time
Figure 3-4. Date and
Time window
About the Date and Time
window
3-10 General System Tasks
To change the date and time, follow the steps below.
Important: Applying changes to the date and time will cause the Sidewinder G2 to
automatically reboot. Therefore, you should only modify date and/or time settings during
off-hours. Also note that the reboot will cause you to lose your Admin Console connection.
Important: The Admin Console allows you to set the clock ahead a maximum of 31
days. The Admin Console does NOT allow you to set the system clock back in time. To set
the clock back, reboot to the Administrative kernel and run the config_time utility. See
“Changing the date or time using the config_time utility” on page 3-10 for details.
1. In the Location drop-down list, select the world-wide location of this
Sidewinder G2.
2. In the Time Zone drop-down list, select the time zone in which this
Sidewinder G2 is located.
3. In the Date field, select the current date from the Month, Day, and Year
drop-down lists.
4. In the Time drop-down list, select the current time (hours, minutes,
AM/PM).
5. Click the Save icon to save your changes.
Changing the date or time using the config_time utility
To change the system date or time setting on Sidewinder G2 use the
config_time utility, as follows.
1. Reboot the Sidewinder G2 to the Administrative kernel. For information
on rebooting to the Administrative kernel, see “Powering-up the system
to the Administrative kernel” on page F-2.

Using system roles
to access type
enforced domains
Using system roles to access type enforced domains
2. At a Sidewinder G2 command prompt, enter the following command:
config_time
The first date and time configuration window appears.
3. Specify the correct time zone.
When you are prompted to set the time zone, type yes or no (default),
then press Enter.
If you respond no, proceed to step 4.
If you respond yes, a list of time zone options appears and you
must type in the exact spelling for the time zone option you want
and then press Enter.
4. Specify the correct system clock settings.
At the screen asking if you want to set the system clock, type yes or no
(default), then press Enter.
If you respond no, the config_time script stops.
If you respond yes, you will be prompted to enter the current
date, then the current time. Specify the date and time in the format
shown on the screen.
Important: If you increment the system date by more than a few days, you may
cause passwords to expire. For example, if a user’s password is set to expire in six days
and you increment the date setting by seven days, that user’s password will
automatically expire.
5. Reboot to the Operational kernel by entering the following command:
shutdown -r now
The following information provides command line information that
will assist you in determining the kernel, domain, and system role in
which you are currently running.
Note: For more information on any of the commands described below, see the
appropriate man page.
Checking which kernel you are running (uname)
To find out whether you are operating in the Administrative or
Operational kernel, type the following command:
uname -a
General System Tasks 3-11

Using system roles to access type enforced domains
3-12 General System Tasks
Using the -a parameter in this command specifies to print the kernel
name as well as other system identifying attributes, such as hardware
platform information. SW_OPS indicates you are running in the
Operational kernel. SW_ADMIN indicates you are running in the
Administrative kernel.
Checking which domain you are using (whereami)
To check which domain you are currently executing in, type the
following command:
whereami
A response similar to the following will appear:
domain=User
The domain in the response indicates in which domain you are
operating.
Changing your domain access using the system role
(srole) command
When you initially log in to the Sidewinder G2 using a command
prompt, you are logged into the User domain by default. The User
domain allows very little access, including no access to sensitive files.
To change to the Admn domain, which allows access to all
Sidewinder G2 domains (based on your administrative role), enter the
following command:
srole
Note: If you are a read-only administrator, enter srole adminro to change to the
AdRO domain.
To return to the previous domain role and shell, enter the following
command:
exit
You are returned to the User domain.

Configuration file
backup and
restore
Configuration file backup and restore
Note: For information on performing a full or incremental system backup or restore, see
“Backing up system files” on page F-4 and “Restoring system files” on page F-8.
Note: For information on performing a configuration restore using the command line,
see “Restoring configuration files using the command line” on page F-14.
This feature enables you to backup and restore Sidewinder G2
configuration files. Backing up the configuration files enables you to
quickly restore a Sidewinder G2 to its desired operational state. Note
that this is different from the full system file backup and restore
capabilities described in the Troubleshooting appendix. Table 3-2
shows the difference between a configuration backup and a system
file backup.
Note: Use a full system file backup after adding new hardware. See “Performing a full
system backup (level0)” on page F-5.
Table 3-2. Configuration backup/restore vs. system file backup/restore
Configuration backup and restore System file backup and restore
Backs up and restores just the
Sidewinder G2 configuration files.
Backs up the files to diskette, to itself, or
to the hard drive of another Sidewinder
G2.
Does not allow for incremental
backups.
You backup and restore from within the
Operational kernel. This enables you to
perform the backup and restore on
another Sidewinder G2.
Can be performed on either a local or a
remote Sidewinder G2, using the
Admin Console.
Enables you to restore a Sidewinder G2
without having to re-install from
scratch.
Backs up and restores the entire
Sidewinder G2 hard drive.
Backs up the Sidewinder G2 hard
drive to a DAT.
Allows for incremental backups.
Requires you to boot to the
Administrative kernel to perform the
backup and restore. This means you
cannot perform this backup and
restore on another Sidewinder G2.
Can only be performed locally using
the Installation Wizard.
Requires you to re-install from scratch
using the DAT.
More . . .
General System Tasks 3-13

Configuration file backup and restore
Figure 3-5. Configuration file backup options
Option 1)
Back up your local
Sidewinder G2
configuration files to
diskette
Option 2)
Back up your Sidewinder G2
configuration files to its own hard
drive (used to allow you to FTP
the configuration backup to
another location, for instance).
Option 3)
Back up a Sidewinder G2
to a different Sidewinder
G2.
3-14 General System Tasks
Configuration backup and restore System file backup and restore
Restores only the configuration files.
Mail queues, audit trails, etc., are not
restored.
Does not backup site-specific changes
made to non-configuration files.
The backup and restore process is
quick.
Restores the entire system as it
existed at the time of the backup. This
includes old mail queues, audit trail
information, etc.
Backs up all site-specific changes.
The backup and restore process is not
as quick.
Figure 3-5 displays the various options you have when using the
configuration backup process.
Sidewinder G2
local Sidewinder G2
SSL
connection
local Sidewinder G2
Internet
Remote
Sidewinder G2

What is backed up and
restored
What is not backed up or
restored
Configuration file backup and restore
There are two files that determine which configuration files will be
backed up and restored. The files are located in the
/etc/backups/config_backup directory and are named:
backup_file_list—Contains the list of files and directories that will
be included in the configuration backup/restore process. Wild
cards can be used when specifying names in this file.
exclude_file_list—Defines the files within backup_file_list that
should be excluded from the configuration backup/restore
process. For example, files that contain graphics are located in
some of the directories specified in backup_file_list that should not
be included in the configuration backup/restore process. You
cannot specify directory names or use wild cards in this file.
Caution: While it is possible to modify these two files, do so with caution. To prevent
accidental modification, these files are defined as read-only. If you absolutely must modify
one of these files, use the Admin Console.
The general rule is, if it is not a configuration file it will not be backed
up. For example, the configuration backup/restore process will not
process the mail queues, the audit trail, the log files, any executable
files, etc. As such, modifications you make to non-configuration files
will not be backed up and restored.
Backing up and restoring configuration files using the
Admin Console
To back up or restore your configuration files using the Admin
Console, start the Admin Console and select Firewall Administration ->
Configuration Backup. The Configuration Backup window appears.
Note: See “Restoring configuration files using the command line” on page F-14 for details
on restoring configuration files when the Admin Console is not accessible.
General System Tasks 3-15

Configuration file backup and restore
Figure 3-6. Configuration
Backup window
About the Configuration
Backup window
3-16 General System Tasks
The Configuration Backup window allows you to backup and restore
your Sidewinder G2 configuration files. Configuration files can be
backed up to either a floppy diskette, the Sidewinder G2 hard drive,
or the hard drive of another Sidewinder G2. You can restore the
backup configuration files using this window when your system is
operational.
Important: If you will be performing a configuration backup to or restore from a
remote Sidewinder G2, you must first configure the synchronization server information
(see “Configuring the synchronization server” on page 3-33). You must also enable the
Synchronization proxy rule on the remote Sidewinder G2. See “Creating proxy rules” on
page 7-4.
Backing up configuration files using the Admin Console
To back up your configuration files using the Admin Console, follow
the steps below.
1. In the Configuration Action field, select Backup.

Configuration file backup and restore
2. In the Backup To or Restore From field, select the type of backup you
want to make:
Floppy Diskette—Select this option to back up to a floppy diskette.
Local Sidewinder—Select this option to back up to the Sidewinder
G2 hard drive (the backup can then be transferred to another
location using FTP).
Remote Sidewinder—Select this option to back up to a different
Sidewinder G2. If you select this option, you must first ensure that
both the synchronization server and Synchronization rule have
been configured and enabled on the remote Sidewinder G2
(where the backup will reside). See “Configuring the
synchronization server” on page 3-33.
[Conditional] If you selected Remote Sidewinder or Local
Sidewinder in the previous step, do the following:
a. [Remote Sidewinder only] In the Address field, type the IP address of
the remote Sidewinder G2.
b. [Remote Sidewinder only] In the Port field, type the port that will be
used to connect to the remote Sidewinder G2. The port number
specified in this field must match the port number used for the
remote Sidewinder G2. The default for this field is 9005 and should
not be modified.
Note: The Port field does not support port lists. The remote Sidewinder G2 must be
listening on the specified port for the transfer to occur.
c. [Remote Sidewinder only] In the Shared Sync Key field, enter a
synchronization key that you created when you configured the
synchronization server. (You can view the synchronization key for
the synchronization server by going to Services Configuration ->
Servers -> Synchronization -> Configuration tab.)
d. In the Filename field, type the filename that the current
configuration is stored as on the specified Sidewinder G2 in the
/var/backups/repository directory. This is needed in case there are
multiple configurations on your Sidewinder G2.
Remote backups will be stored in directories and file names with the
format filename.hostname (where the filename is the user-specified
value and the hostname is the fully qualified domain name of the
Sidewinder G2 being backed up or restored.
General System Tasks 3-17

Configuration file backup and restore
3-18 General System Tasks
3. To edit the list of files that will be included in the backup, click Edit
Include List. A file editor window is displayed, containing a list of the files
and directories that will be backed up. In this window, you can add or
delete files or directories to include in the backup.
Note: By default, previous backups are not included in a new backup. If you want to
include previous backup files in a current backup, you must add the
/var/backups/repository file path to the Include List.
4. To edit the list of files that will be excluded from the backup, click Edit
Exclude List. A file editor window is displayed, containing a list of the
files that will NOT be backed up. You can add or delete files from the
exclude list as desired. (Only individual files can be added or deleted
from the Exclude list. You cannot include directories in the Exclude list.)
5. The Local Backup Files area provides a list of current configuration
backups stored on the local Sidewinder G2 hard disk repository. To
delete a backup file from the list, highlight one or more backups that
you want to delete and click Delete.
6. To begin the backup process, click the Save.
Important: You must remove the diskette before the Sidewinder G2 reboots or the
reboot process will fail.
Restoring configuration files using the Admin Console
To restore configuration files using the Admin Console, follow the
steps below.
Note: You must restore configuration files from a backup file that was created at the
same version as the system to which you are restoring (for example, if your system is
currently running at version 6.1.1.00, you can only perform a restore using a version
6.1.1.00 configuration backup file).
1. In the Configuration Action field, select Restore.
2. In the Backup To or Restore From field, select the type of restore you
want to perform:
Floppy Diskette—Select this option to restore from a floppy
diskette.
Local Sidewinder—Select this option to restore from the
Sidewinder G2 hard drive.
Remote Sidewinder—Select this option to restore from a different
Sidewinder G2.
Note: The Local Backup Files area provides a list of current configuration backups
stored on the Sidewinder G2 hard disk repository.

Activating the
Sidewinder G2
license
Activating the Sidewinder G2 license
3. [Conditional] If you selected Remote Sidewinder or Local Sidewinder in
the previous step, do the following:
a. [Remote Sidewinder only] In the IP address field, type the IP address
of the remote Sidewinder G2.
b. [Remote Sidewinder only] In the Port field, type the port that will be
used to connect to the remote Sidewinder G2. The port number
specified in this field must match the port number used for the
remote Sidewinder G2.
Note: The Port field does not support port lists. The remote Sidewinder G2 must be
listening on the specified port for the transfer to occur.
c. [Remote Sidewinder only] In the Shared Sync Key field, enter a
synchronization key that you created when you configured the
synchronization server on the remote Sidewinder G2 (where the
backup resides). You can view the synchronization key for the
synchronization server by going to Services Configuration -> Servers
-> Synchronization -> Configuration tab.
d. In the Filename field, type the filename that the current
configuration is stored as on the Sidewinder G2 in the
/var/backups/repository directory. This is needed in case there are
multiple configurations on your Sidewinder G2.
4. To begin the restore process, click the Save. The system will
automatically reboot when the restore process is complete.
Important: If you selected the diskette method, you will be prompted to insert a
diskette into the Sidewinder G2 diskette drive. You must remove the diskette before
the Sidewinder G2 reboots or the reboot process will fail.
In most cases, you will license your Sidewinder G2 and any licensed
features during the initial configuration process. When you initially
connect to a Sidewinder G2 using the Admin Console, a window
appears displaying a list of features that are currently licensed for that
Sidewinder G2.
If you need to relicense or license a feature after initial configuration,
you can use this section to activate a license using the Admin Console.
Note: When the Sidewinder G2 is rebooted or shutdown, a record of who issued the
action is logged in the /var/log/messages file. This applies to a reboot or shutdown issued
from the Admin Console or by using the shutdown command.
Important: See “Protected host licensing and the Host Enrollment List” on page 3-27 for
information on how the Sidewinder G2 enforces the host license limits.
General System Tasks 3-19

Activating the Sidewinder G2 license
From the Admin Console
(on the isolated network):
3-20 General System Tasks
Licensing from a Sidewinder G2 connected to the
Internet
If you are working on a Sidewinder G2 that is connected to the
Internet, you can use the following general steps to provide the
necessary information for your company and obtain an activation key.
1. Locate the serial number for your Sidewinder G2. The serial number
should appear on your Activation Certificate.
2. In the Admin Console, enter your company and contact information in
the Firewall Administration -> Firewall License -> Contact and Company
tabs. The information you provide in each tab is submitted when you
obtain your activation key, and is used for technical support assistance.
For details on providing information in the Contact and Company tabs,
see “Configuring the Firewall License tabs” on page 3-22.
3. In the Admin Console, complete the information in the Firewall
Administration -> Firewall License -> Firewall tab. Be sure to submit the
data to receive your activation key. See “Entering information on the
Firewall tab” on page 3-24 for details on completing the information
and receiving your activation key.
Note: You will need the serial number that you located in step 1.
4. Reboot the system.
Note: For information on rebooting to the Operational kernel, see “Restarting or
shutting down the system” on page 3-2.
When your system reboots, your Sidewinder G2 software and any
features you licensed will be activated.
Licensing from a Sidewinder G2 on an isolated network
If you are on an isolated network and do not have access to the
Secure Computing activation server, you can request an activation key
using the following method.
1. Locate the serial number for your Sidewinder G2 on the Activation
Certificate. The serial number is a 16-digit alpha-numeric code.
2. In the Admin Console, select Firewall Administration -> Firewall License,
and select the Firewall tab.
3. In the Serial Number field, enter the serial number.

From a workstation that has
Web access:
From the Admin Console
(on the isolated network):
Activating the Sidewinder G2 license
4. In the Firewall ID field, enter the MAC address you want to use as your
firewall ID.
There will be one MAC address listed for each NIC on the Sidewinder
G2. You need only to select one of the MAC addresses.
5. Go to any workstation with Web access and use a Web browser to
access the Sidewinder G2 activation Web page.
https://www.securecomputing.com/cgi-bin/sidewinder-activation.cgi
6. Complete the form on the Web site and click Submit.
A new Web page appears that displays the activation key.
7. Save the Web page to an html file.
8. Copy the file to a location that is accessible either by the Sidewinder G2
or by the system you are using to manage the Sidewinder G2.
You can copy the file using any of the following options:
FTP the file
E-mail the file
Save the file to a diskette
9. In the Admin Console, select Firewall Administration -> Firewall License,
and then select the Firewall tab.
10. Click Import Key.
11. Select one of the following:
Local File—Select this option if the activation key resides on a
diskette or hard drive on either a local machine or on a network
drive.
Firewall File—Select this option if the activation key resides in a
directory located on the Sidewinder G2.
12. Navigate to the location of the file you saved in steps 6 and 7, select the
file, then click OK.
The activation key located within the file is read and stored in the
Activation Key field.
13. In the Admin Console menu, select Firewall Administration -> System
Shutdown and reboot the Sidewinder G2 to the Operational kernel.
Note: For information on rebooting to the Operational kernel, see “Restarting or
shutting down the system” on page 3-2.
Your Sidewinder G2 software and the features you licensed are now
activated.
General System Tasks 3-21

Activating the Sidewinder G2 license
Figure 3-7. Firewall
License: Contact tab
Entering information in the
Contact tab
3-22 General System Tasks
14. To complete the licensing process, fill in the information fields in the
Firewall License windows. See “Entering information in the Contact tab”
on page 3-22 and “Entering information in the Company tab” on page
3-23 for details.
Configuring the Firewall License tabs
To configure license information, select Firewall Administration ->
Firewall License in the Admin Console. The Firewall License window
appears. The window contains four tabs used to collect various
licensing information.
The Contact tab is used to enter contact information for the
administrator of this particular Sidewinder G2. This information is
needed so that you can receive important customer bulletins and
renewable support licenses. Follow the steps below.
Note: The fields shown in parentheses are optional.
1. In the First Name field, type the first name of the Sidewinder G2
administrator.
2. In the Last Name field, type the last name of the Sidewinder G2
administrator.
3. In the E-mail field, type the e-mail address of the Sidewinder G2
administrator.

Figure 3-8. Firewall
License: Company tab
Entering information in the
Company tab
Activating the Sidewinder G2 license
4. In the Primary Phone field, type the phone number of the Sidewinder
G2 administrator, including the area code.
5. [Optional] In the Alternate Phone field, type an alternate phone number
in case the first number is unavailable.
6. [Optional] In the Fax field, type a fax number for your organization.
7. [Optional] In the Job Title field, type the job title of the person
responsible for administering this Sidewinder G2.
8. [Optional] In the Purchased From field, type the name of the company
that sold you this Sidewinder G2.
9. [Optional] In the Comments field, type record miscellaneous information
about your site.
10. Click the Save icon.
11. Click the Company tab to enter information about your company. The
Company tab appears.
The Company tab is used to enter information about the company
that has purchased this particular Sidewinder G2. Follow the steps
below.
1. In the Company Name field, type the full name of the company that
purchased this Sidewinder G2.
2. In the Industry Classification drop-down list, select the classification that
most closely matches your industry.
General System Tasks 3-23

Activating the Sidewinder G2 license
Figure 3-9. Firewall
License: Firewall tab
Entering information on the
Firewall tab
3-24 General System Tasks
3. Fill in the requested address information fields on the Company Address
tab and on the Billing Address tab. If the information is the same on
both tabs, enter the information on the Company Address tab, then
switch to the Billing Address tab and click Copy From Company Address.
4. Click the Save icon.
5. Click the Firewall tab to provide the information necessary to license
your Sidewinder G2. The Firewall tab appears.
This tab is used to enter information about the Sidewinder G2 you are
attempting to license. Follow the steps below.
Note: For information on the Current Features area, see “Displaying the status of features
on Sidewinder G2” on page 3-27.
1. In the Serial Number field, type the 16-digit alpha-numeric serial
number for this Sidewinder G2. The serial number is located on your
Sidewinder G2 Activation Certificate.
2. In the Firewall ID drop-down list, select a MAC address to use as your
firewall ID. There will be one MAC address listed for each NIC in the
Sidewinder G2. Select the first MAC address in the list.
The Activation URL field displays the URL of the Web site to which the
Sidewinder G2 licensing information will be sent. If you are required to
modify the URL, click Edit to modify the activation URL. The Edit
Activation URL window appears. See “Entering information on the Edit
Activation URL window” on page 3-26.

Figure 3-10. Firewall
License: Enrollment List
tab
Activating the Sidewinder G2 license
3. Click Submit Data to submit the data to the Secure Computing
Corporation licensing Web site. The license information is sent using an
encrypted HTTPS session. If the data is complete, the request will be
granted and a new activation key will be written to the Activation Key
field. This key is used by the Sidewinder G2 to activate or deactivate the
various software features available on the Sidewinder G2.
After receiving a new activation key, a message will appear prompting
you to reboot the Sidewinder G2. The new activation key will not take
effect until you perform a reboot.
The current status of the various Sidewinder G2 features is displayed in
the Current Features area. If a feature you want to use is currently not
licensed, you must obtain a different activation key in order to enable
that feature.
4. [Optional] If you need to import an activation key that has been saved
to a file, click Import Key. You will typically use this button if your
Sidewinder G2 or local network does not have access to the URL
defined in the Activation URL field. The activation key is retrieved by a
different machine, saved to an HTML file, then moved to a location that
is accessible by either the Sidewinder G2 or by the Windows machine
you are using to run the Admin Console.
5. Select the Enrollment List tab to enter information regarding the host
enrollment list. The Enrollment List tab appears.
General System Tasks 3-25

Activating the Sidewinder G2 license
Entering information on the
Enrollment List tab
3-26 General System Tasks
The he Licensed host limit field displays the number of hosts for which
you are licensed. The Number of hosts in enrollment list field displays the
current number of hosts that are contained in the enrollment list. The
Host Enrollment List displays the actual IP addresses of hosts that are in
the enrollment list. To delete a host, highlight the host you want to
delete, and click Delete. To refresh the window to reflect updated
information, click Refresh.
See “Protected host licensing and the Host Enrollment List” on page 3-
27 for an in-depth discussion about the Host Enrollment List.
Entering information on the Edit Activation URL window
To edit the activation URL, follow the steps below.
Note: Do not edit the activation URL unless instructed to do so by Secure Computing
Technical Support.
In Edit Activation URL window you can restore the default web-based
URL by clicking Restore Default URL. You can also click in the URL field
and manually type a new URL address. Click OK to save your changes
and return to the Firewall tab.
Entering information on the Import Key window
1. In the Source field, select either Local File or Firewall File.
Local File—Select this option if the activation key resides on a
diskette or hard drive on either a local machine or on a network
drive.
Firewall File—Select this option if the activation key resides in a
directory located on the Sidewinder G2.
2. In the File field, type the name of the file that contains the activation
key, or click Browse to search the available drives for the file that
contains the activation key. When you locate the file, select the file, then
click Open. The file name appears in the File field.
3. Click OK to approve the specified file. The activation key is extracted
from the file and written to the Activation Key field.
Note: You must reboot the Sidewinder G2 in order for the new activation key to take
effect.

Protected host
licensing and the
Host Enrollment
List
Protected host licensing and the Host Enrollment List
Displaying the status of features on Sidewinder G2
To display the status of the features installed on Sidewinder G2, in the
Admin Console select Firewall Administration -> Firewall License and then
select the Firewall tab. The Current Features field at the bottom of the
tab displays the features currently available for Sidewinder G2, and
the status of each feature on your particular Sidewinder G2.
The Host Enrollment List is a dynamic list that is used to record each
unique IP address (host) that makes an outbound connection to the
Internet. The Sidewinder G2 uses this list to verify compliance with
the IP address license "cap"—the portion of your Sidewinder G2
license that dictates the number of hosts the Sidewinder G2 will
support.
Important: You may ignore this section if you have an unlimited license. All license
processing is bypassed if you have an unlimited license.
Tip: In general, a host is a client on an internal or external network that is being protected
by the Sidewinder G2. For accounting purposes, a host is any unique host IP address that
originates a connection through the Sidewinder G2. See “How hosts are calculated” on
page 3-28 for more details.
The Sidewinder G2 provides administrators the capability to display
and modify the enrollment list. This allows you to identify which IP
addresses are currently counted against your protected host license
cap. It also enables you to delete IP address entries that you do not
want counted against your host cap. For example, you might do this if
a connection is initiated from a test system in your lab and you do not
want that system to count against the host license cap.
The Sidewinder G2 strictly enforces the maximum IP address (host)
license number, meaning only the number of IP addresses authorized
by the protected host license will be allowed to make connections
through the Sidewinder G2. If the number of IP addresses in the
enrollment list exceeds 75% of the number allowed by your protected
host license, an audit will occur. informing you that you are
approaching the maximum number of hosts. The audit will also
display the current number of hosts and the maximum number of
hosts that are allowed for your license.
General System Tasks 3-27

Protected host licensing and the Host Enrollment List
3-28 General System Tasks
If the enrollment list becomes full, additional audits will occur each
time a new IP address attempts to make a connection to the Internet.
However, only the IP addresses contained in the enrollment list will
be allowed. IP addresses not already listed in the enrollment list will
be unable to make a connection to the Internet. A user attempting to
make a connection using a browser will receive a standard policy
denial message. If a user is attempting to make a connection using a
non-browser application (for example, FTP) the connection will
simply be blocked and they will not receive an error message.
You can configure the licexceed alarm event to email the administrator
when the enrollment list reaches the maximum number allowed, and
IP addresses are denied access due to a protected host license
violation. See Chapter 17 for details on configuring alarms.
If you reach the host enrollment maximum and you want to allow
access to additional hosts, you will need to modify the host
enrollment list to remove hosts entries that no longer need to be
listed, upgrade your license, or upgrade to a larger Sidewinder G2
appliance. See “Displaying and modifying the Host Enrollment List”
on page 3-29 for information on managing the host enrollment list.
How hosts are calculated
In general, a host is defined as a workstation that is protected by the
Sidewinder G2 and uses the Sidewinder G2 to connect to the Internet.
Any host that contains a unique IP address and that initiates a
connection from a non-Internet burb is counted as a new host.
The manner in which remote hosts access the Sidewinder G2 may
affect the host count. For example:
Remote hosts that use dynamic addressing rather than static
addressing may have multiple IP addresses added to the Host
Enrollment List.
Hosts accessing the Sidewinder G2 via a VPN will be added to the
Host Enrollment List if the VPN uses proxies to move the traffic
from a non-Internet burb to another burb. Figure 3-11 illustrates
this idea.

Figure 3-11. Determining
which VPN clients count
against the host license
cap
Client A
Client B
= VPN tunnel
= Data
Protected host licensing and the Host Enrollment List
Internet
VPN
VPN
Sidewinder G2
internal
network
Client A = Not counted against the host license cap.
Client B = Counted against the host license cap.
The Sidewinder G2 counts total hosts, not concurrent hosts. It is
important to understand the distinction. Assume you have a 25 host
license. If you have 30 hosts, but only 20 are in use or online at any
one time, you will still exceed the license cap because the Sidewinder
G2 will eventually detect a 26th host, putting you over the limit.
Displaying and modifying the Host Enrollment List
To display and modify the contents of the Host Enrollment List using
the Admin Console, select Firewall Administration -> Firewall License and
click the Enrollment List tab. In this window, you can do the following:
View the number of hosts authorized by your current Sidewinder
G2 license in the Licensed host limit field. This is your host license
"cap."
View the current number of hosts listed in the Number of hosts in
enrollment list field. This number is important because if it exceeds
the number of hosts authorized by the Sidewinder G2 license, you
will be considered to be in violation of your license cap. If you
have an unrestricted host license, the term Unlimited will appear
in this field.
The Host Enrollment List is cleared automatically if you upgrade
your protected host license.
Delete hosts from the Host Enrollment List by highlighting the host
and clicking Delete. To select multiple hosts to delete, hold the
Shift key while selecting the hosts.
Note: You can update the contents of the Host Enrollment List field by clicking
Refresh.
e
x
t
i
n
t
proxies
virtual
General System Tasks 3-29

Enabling and disabling servers
Enabling and
disabling servers
Figure 3-12. Servers
window
3-30 General System Tasks
Consider the following information when deleting entries from the
enrollment list:
— If the host you delete has a current connection through the
Sidewinder G2, that connection will be preserved.
— If the host severs the connection and attempts a new
connection, the new connection request may or may not be
approved.
— A new connection request will be permitted only if there is
still room available within the enrollment list.
The Admin Console allows you to view the status of each server and
to enable or disable each server from one central location. You can
also configure some of the servers in this window. To view the status
of a server or to enable/disable a server, select Services Configuration ->
Servers.
About the Servers window The Server window displays a list of the available servers in the left
portion of the window. A green circle appears in front of a server if
the server is currently enabled. A red circle with a slash indicates that
the server is disabled. When you select a server, the properties for that
server appear in the right portion of the window.

Table 3-3. Sidewinder G2 servers
Server Name Notes
Enabling and disabling servers
You can enable or disable some servers for the entire Sidewinder G2,
while other servers can be enabled or disabled for individual burbs on
the Sidewinder G2. The fields and buttons that appear in the right
portion of the window will change depending on the type of server
that is selected. If the selected server can be enabled for individual
burbs, the Enabled For field will also appear. To enable or disable a
server, select the Control check box for that server for each burb. (A
check mark appears for each burb in which the server is enabled.)
The following table provides some helpful information on specific
servers.
auditdbd The audit database daemon server. By default, this server is not enabled. See Chapter 18.
changepw The Change Password server. See Chapter 9.
cmd Certificate Management Daemon server. The CMD server must be enabled before
configuring the certificate server. See Chapter 13.
entrelayd The entrelayd server is used for managing standalone Sidewinder G2s, as well as multiple
Sidewinder G2s in an HA cluster or One-To-Many cluster. See Chapter 15 and Chapter 16.
fixclock The basic clock synchronization server that is used to ensure that the Sidewinder G2 clock
remains up-to-date. This server cannot be enabled if you have configured and enabled NTP
on your Sidewinder G2.
gated-unbound The server used in conjunction with OSPF (Dynamic) routing. See Appendix C.
isakmp The ISAKMP server is used by the Sidewinder G2 to generate and exchange keys for VPN
sessions. See Chapter 13.
kmvfilter The kmvfilter (keyword, MIME, and virus filter) server enables the Sidewinder G2 to perform
keyword, MIME, and anti-virus mail filtering. For information on configuring mail filtering, see
“Creating Mail Application Defenses” on page 6-21.
named-internet A DNS server. Available only if two DNS servers (Split DNS mode) are defined. This server
services the Internet burb. See Chapter 10.
named-unbound A DNS server. If one DNS server is defined, this server services all the burbs on the
Sidewinder G2. If two DNS servers (Split DNS mode) are defined, this server services all burbs
except the Internet burb. See Chapter 10.
ntp The Network Time Protocol (NTP) server. See Appendix B.
More . . .
General System Tasks 3-31

Enabling and disabling servers
Server Name Notes
routed The server used in conjunction with RIP routing. See Appendix D.
sendmail The SMTP server. See Chapter 11.
shund The shund server accepts shunning requests from Intrusion Detection Servers (IDS), and
verifies the signature on the data that the IDS has generated.
snmpd Simple Network Management Protocol daemon. The SNMP server can only be enabled for
one burb, and it cannot be enabled for the Internet burb. See Chapter 14.
spamfilter This server allows you to enable anti-spam mail filtering for the burbs that you specify, as well
as configure whitelists for internal and external burbs. For information on configuring antispam
mail filter rules, see “Creating Mail Application Defenses” on page 6-21. For information
on configuring advanced spamfilter properties and whitelist configuration, see “Configuring
advanced anti-spam options” on page 11-13.
sshd The Secure Shell daemon server. The SSHd server provides secure encrypted communication
between two hosts. See Chapter 2.
sso The Single Sign-On (SSO) server allows you to configure SSO. SSO allows users access to
multiple services with a single successful authentication to the Sidewinder G2. See
“Configuring SSO” on page 9-27.
Note: If you disable the SSO server, the SSO authenticated user cache will be emptied (that is, all
cached users will be removed). When the SSO server is enabled again, all users will need to
authenticate before being added back into the cache.
synchronization The synchronization server is used to synchronize configuration information among
Sidewinder G2s that are participating in a One-To-Many cluster or an HA cluster. It also allows
you to perform a configuration backup or restore to/from a remote Sidewinder G2. See
“Configuring the synchronization server” on page 3-33.
telnet If you disable the Telnet server, all future connections will be denied. Any users who are
currently logged in to the server will not be affected. See Chapter 2.
upsd The Uninterruptible Power Supply daemon server. See “Configuring the Sidewinder G2 to use
a UPS” on page 3-58 for more information.
WebProxy The Web Proxy server. Certain Sidewinder G2 features such as SmartFilter will not work if the
Web Proxy server is disabled. See Chapter 12.
3-32 General System Tasks

Configuring the
synchronization
server
Figure 3-13. Synchronization
server:
Configuration tab
About the synchronization
server Configuration tab
Configuring the synchronization server
The synchronization server is used to synchronize configuration
information among Sidewinder G2s that are participating in a One-To-
Many cluster or an HA cluster. It also allows you to perform a
configuration backup or restore to/from a remote Sidewinder G2.
To configure the synchronization server, log in to the Admin Console,
select Services Configuration -> Servers and then select synchronization
from the Server Name list. The synchronization server Control tab
appears. To enable or disable a server, select the Control check box for
that server for each burb. (A check mark appears for each burb in
which the server is enabled.) To configure the synchronization server,
select the Configuration tab. The following window appears.
This tab allows you to configure the shared synchronization key and
port number, and allows you to select the SSL certificate for the
synchronization server. Follow the steps below.
Note: The synchronization server is automatically configured for you when you create a
High Availability or One-To-Many cluster.
1. In the Shared Sync Key field, type the shared key. The shared key is any
10 character, alphanumeric string (for example, 12345abcde). You will
need to enter this key again if you configure HA or One-To-Many, or if
you perform a configuration backup or restore from a remote
Sidewinder G2.
2. In the Port field, specify the port on which the synchronization server
will listen. The default is 9005 and should not be changed.
3. In the SSL Certificate drop-down list, select the certificate to use for the
synchronization server. The certificate will be one of the following:
the default certificate
a self-signed, RSA certificate that is defined on the Firewall
Certificates tab of the Certificate Management window.
Important: Before assigning a new certificate, you must first create a new
certificate.
General System Tasks 3-33

Configuring scanning services
Configuring
scanning services
3-34 General System Tasks
4. [Conditional] To go to the Firewall Certificates window, click Certificates.
The Firewall Certificates window is used to define new certificates. After
creating a new certificate you can return to the Configuration tab and
assign the new certificate to the synchronization server.
For detailed information on certificates, refer to “Configuring and
displaying firewall certificates” on page 13-37.
5. Enable the Synchronization rule. See “Creating proxy rules” on page 7-4.
6. Click the Save icon to save your changes.
The scanner service is a licensed feature that utilizes virus scanning
services that allow you to configure and enable system-level MIME
and virus scanning on the Sidewinder G2 for HTTP and mail. When
you enable scanning services, you can specify the number of server
processes that will be dedicated to various data sizes, allowing the
Sidewinder G2 to process data more efficiently. You can also
configure how often the subscription list will be updated.
To utilize scanning services on Sidewinder G2, you must also ensure
the following conditions have been met:
The Anti-Virus feature must be licensed. To verify that the feature
has been licensed, see “Displaying the status of features on
Sidewinder G2” on page 3-27. If you are not licensed for Anti-
Virus, contact your sales representative.
The kmvfilter server must be enabled for the appropriate burbs if
you are scanning mail messages. (This server is not required to be
enabled for HTTP scanning services.) For information on enabling
the kmvfilter server, see “Enabling and disabling servers” on page
3-30.
The appropriate Application Defenses must be configured and
contained in proxy rules that are included in the active proxy rule
list.
Note: For information on configuring scanning for Web services, see “Creating Web or
Secure Web Application Defenses” on page 6-4. For information on configuring scanning
for mail services, see “Creating Mail Application Defenses” on page 6-21.
To configure and enable scanning services, in the Admin Console
select Services Configuration -> Scanner. The Scanner window appears
with the Control tab displayed.

Figure 3-14. Scanner:
Advanced tab
About the Scanner Control tab
Configuring scanning services
This tab allows you to enable or disable the scanning services. This
feature must be enabled if you are planning to configure MIME and/or
anti-virus filtering for Web and/or mail services. To enable scanning
services, click Enable. To disable scanning services, click Disable. To
configure the scanner feature, click the Advanced tab and see “About
the Scanner Advanced tab” on page 3-35.
Important: The MIME/anti-virus scanning service is a licensed feature. While scanning
services can be enabled and configured, they will not function unless the feature been
licensed. For information on licensing a feature, see “Activating the Sidewinder G2 license”
on page 3-19.
About the Scanner Advanced tab
This tab allows you to configure how the scanner processes on your
Sidewinder G2 will be distributed for incoming and outgoing traffic.
This is done by configuring the scanner groups that are defined in the
distribution table. There are four groups (or types) of traffic, each with
a specific size category. For each size category, you can specify how
many scanner processes will be dedicated to processing traffic for that
size range. (You cannot modify the size values or configure additional
size categories.)
The File Size Range column displays the size limits for each group. The
Scanners column displays the number of scanner processes that will
be dedicated to that size range. The number of scanner processes that
you specify for each group will depend on the type of traffic your
Sidewinder G2 processes.
General System Tasks 3-35

Configuring scanning services
About the Edit Scanners
window
3-36 General System Tasks
For example, if your Sidewinder G2 processes a large amount of
traffic that is under 40kB, you may dedicate a larger number of
scanner processes to that group. If your Sidewinder G2 processes only
a small amount of traffic that exceeds 40kB, you may dedicate only
one scanner process to that group. There is also a default Unlimited
group that processes all traffic that is over 1MB.
This tab also allows you to view the current virus scanner engine
version. To configure the Scanner Advanced tab, follow the steps
below.
1. To configure the number of scanner processes for a particular group,
highlight the group in the table and click Modify. The Edit Scanners
window appears. See “About the Edit Scanners window” on page 3-36
for information on configuring the number of scanner processes for a
group.
2. In the Scan Buffer Size field, specify the size of information (in kB) that
can be held in the memory buffer before a backup file is created to
temporarily hold the traffic for processing. This value must be between
8kB and 64kB. The default value is 50kB.
3. In the Archive Scan Buffer Size field, specify the amount of memory that
will be used to contain the contents of archive files before the anti-virus
engine will temporarily write the contents to disk to perform the virus
scan. The default is 64MB.
4. To view the virus scanner engine version number that is currently
installed, click Show Installed Engine Version Number Now. A pop-up
window appears displaying the current version. To close the pop-up
window, click OK.
5. To continue configuring the scanner feature, click the Signatures tab
and see “About the Scanner Signature tab” on page 3-37.
The Edit Scanners window allows you to specify the number of
scanner processes that will be available for processing traffic that falls
within the size limits of the selected group. You must dedicate at least
one scanner process to each group.
1. In the Scanners field, specify the number of scanner processes you want
to dedicate for the selected group. The number of scanner processes
should not exceed a combined total of 20 processes for all groups that
are configured. (Configuring more than 20 total processes may have a
negative impact on performance.)
2. Click OK to update the group and return to the Scanner Advanced tab.

Figure 3-15. Scanner:
Signature tab
About the Scanner Signature tab
Configuring scanning services
This tab allows you to configure the properties for anti-virus updates.
You can download and install virus updates manually, or you can
configure the Sidewinder G2 to automatically download and install
updates at intervals that you determine. Follow the steps below.
Important: Secure Computing recommends downloading the latest signature files
prior to enabling Anti-Virus services on the Sidewinder G2.
1. In the Source area, verify/modify the following fields:
FTP Site—The name of the FTP site from which the package will be
downloaded.
Note: If the download fails, verify that the name resolves to an IP address and
is reachable from the Sidewinder G2 host.
Username—The name to use when logging onto the FTP site. The
default user name is anonymous.
Password—The password must be used when logging onto the
FTP site. The password is your e-mail address.
Directory—The path name on the FTP site that contains the
update. The default directory is /pubs/antivirus/datfiles/4.x/.
2. [Conditional] To configure automatic virus updates, follow the sub-steps
below. To manually update the virus definitions immediately, go to step
3. (The download process validates the new signature files against the
currently installed engine.)
a. Select the Enable Automated Download and Install check box to
configure the download and install properties.
General System Tasks 3-37

Configuring scanning services
3-38 General System Tasks
b. In the Frequency field, specify how frequently you want to
download and install updated information. To download and install
every day, select Daily. To download and install once a week, select
Weekly.
c. [Conditional] If you selected Weekly in the previous step, in the Day
field, specify the day of the week that you want to download and
install updates. You can use the up and down arrows to select the
day, or you can type the first few letters of the day to display the
appropriate day.
d. In the Time field, specify the time of day you want the Sidewinder
G2 to download and install the updates. Select the portion of the
time you want to change (hours, minutes, seconds) and then use
the up and down arrows to navigate to the desired value.
Note: Downloading and installing updates has a minimal impact on your system.
Traffic that is received while the download and installation are in process will be
scanned using the current version. Once installation is complete, all traffic will be
scanned using the updated scanner information.
e. If you want to receive e-mail notification when the updates are
downloaded and installed, select the Enable Email Notification check
box. If you select this option, you will also need to specify an e-mail
address in the Recipient field.
f. Proceed to step 5.
3. [Conditional] To update the virus definition manually, follow the substeps
below.
a. Click Download and Install Signatures Now. A pop-up window
appears.
b. Click Background to perform the update in the background, or click
Wait to receive a notification and status pop-up when the update is
complete. Proceed to step 5.
4. To view the current version of the signature file you are using, click
Show Installed Signatures File Version Number Now. An Info window
appears displaying the current installed version. When you are finished
viewing the version, click OK.
5. Click the Save icon to save your changes.

Configuring the
shund server
Figure 3-16. Shun server:
IDS Configuration tab
Configuring the IDS
Configuration tab
Configuring the shund server
The shund server accepts shunning requests from Intrusion Detection
Servers (IDS), and verifies the signature on the data that the IDS has
generated. If the signature is valid, a blackhole command is executed
to shun the IP address as requested.
To configure the shund server, follow the instructions below.
In the Admin Console, select Services Configuration -> Servers and select
shund from the server list. The shund server Control tab appears.
Configuring the Control tab
A check mark will appear in front of each burb for which the shund
server is enabled. To enable the shund server for one or more burbs,
select the appropriate check box(es) in the Enabled For area. To
disable the shund server in one of more burbs, deselect the
appropriate check box(es). Click the Save icon to save your changes.
To configure the IDS properties, select the IDS Configuration tab. The
following window appears.
The IDS Configuration tab allows you to configure the IDS servers
from which the shund server will accept requests. The IDS Server Port
field identifies the IDS Server Port. The default port is 8111. To modify
the port, type the new port number in the IDS Server Port field, and
click the Save icon. To revert to the default port (8111), click Restore
Default.
General System Tasks 3-39

Configuring the shund server
Figure 3-17. IDS Server
window
About the IDS
Configuration: IDS Server
window
About the Shunned IPs
window
3-40 General System Tasks
To view currently shunned IP addresses, click Current Shunned IP
addresses, and see “About the Shunned IPs window” on page 3-40.
To delete an existing IDS server, highlight the server and click Delete.
You will be prompted to confirm the deletion. Click Yes to delete the
IDS server, or No to Cancel.
To add a new IDS server, click New. To modify an existing IDS server,
highlight the server and click Modify. To create a duplicate an IDS
server, click Duplicate. The IDS Configuration: IDS Server window
appears.
The IDS Server window allows you a create or modify an IDS server.
Follow the steps below to create or modify an IDS server.
1. In the IDS Server IP address field, enter the IP address for the IDS server.
2. In the Shared secret field, enter a text string that the IDS server uses to
generate a signature for shun packets.
3. In the Default time to shun an IP address field, specify the amount of
time for which the IP addresses will be shunned, as follows:
a. In the drop-down list, specify the time format to use by selecting
either Seconds, Minutes, Hours, or Days.
b. In the text field, enter the number of seconds, minutes, hours, or
days.
4. Click OK to save your changes and return to the Configuration tab. (To
cancel your changes, click Cancel.)
The Shunned IPs window allows you to view and modify the
currently shunned IP addresses.

Figure 3-18. IDS
Configuration: Shunned
IPs window
Loading and
installing patches
Loading and installing patches
Each entry in the table displays the IP address, burb, and the date and
time at which the IP address will no longer be shunned. You can
perform the following actions in this window:
Delete one or more IP addresses—To remove one or more IP
addresses from the list, highlight the IP address(es) you want to
delete and click Delete IP(s). (To select multiple addresses, press
and hold the Ctrl key as you select the addresses.)
Delete all IP addresses—To remove all of the IP addresses that are
listed in the table, click Delete All IPs.
Update the window—To retrieve an updated list of shunned IP
addresses, click Refresh. The date and time when displayed data
was captured is listed in the upper portion of the window.
The Sidewinder G2 provides the ability to patch your software by
installing software patches or "packages" on your system. The
software packages are available via Secure Computing’s FTP site. You
can view, load, and install software packages using the Admin
Console.
Tip: If your site requires physical patch media, you can burn a patch to a CD using the CD
burning software of your choice (such as Roxio Easy CD Creator). Refer to the CD burning
software’s instructions for information on burning the patch file to CD. (You can also
contact Customer Service for general instructions.)
General System Tasks 3-41

Loading and installing patches
Figure 3-19. Software
Management: Summary
tab
3-42 General System Tasks
Viewing currently installed patches
To view the patches currently installed on your system, start the
Admin Console and select Firewall Administration -> Software
Management, and select the Summary tab. A window similar to the
following appears.
About the Summary tab The Summary tab displays information about the patches currently
installed on the Sidewinder G2. This window also enables you to do
the following:
Details—To display a detailed description of a particular patch,
highlight the patch in the list and click Details.
Verify—To verify the signature on a particular patch, highlight the
patch in the list and click Verify.
Export—To export a particular patch to a diskette, highlight the
patch in the list and click Export.
View Log—Click this button to display the Package Installation log.
The log contains a list of all patches that have been installed.

Figure 3-20. Software
Management: Import
tab
Entering information on the
Import tab
Loading a patch
Loading and installing patches
You will generally load patches onto the Sidewinder G2 via the
network (via the FTP site). All patches are encrypted and digitally
signed. You must have a current support license in order to decrypt
and load a patch. Patches that are loaded onto the Sidewinder G2 are
stored in the /var/spool/packages directory.
Note: Loading a patch on the Sidewinder G2 is NOT the same as installing it. Loading a
patch only makes that patch available for installation on the Sidewinder G2. To install a
patch on the Sidewinder G2, see “Installing a patch” on page 3-45.
To load a software package, select Firewall Administration -> Software
Management, and select the Import tab. A window similar to the
following appears.
The Import tab is used to load a patch on the Sidewinder G2. You can
load patches via the network (using Secure Computing’s FTP site), or
using physical media that you create. Follow the instructions below.
General System Tasks 3-43

Loading and installing patches
3-44 General System Tasks
To import a patch from the network (via Secure Computing’s FTP site):
1. In the Import from Network area verify/modify the following fields:
Note: To modify any of the fields, click Edit and modify the information as needed.
FTP Site—The name of the FTP site from which the package will be
downloaded. The default name is
ftp.activations.securecomputing.com. To edit this information, click
Edit.
Username—The name to use when logging onto the FTP site. The
default user name is anonymous.
Password—The password must be used when logging onto the
FTP site. If no password is set, the Sidewinder G2 serial number will
be sent as the password.
Directory—The path name on the FTP site that contains the
desired patch(es).
Note: To restore the system default values to all of these fields, click Edit and then
click Restore Defaults.
Note: This information is stored in the /etc/sidewinder/package.conf file.
2. Click Import Now to load the patch(es).
3. To enable the Sidewinder G2 to automatically download the latest
patches from the defined FTP site on a periodic basis, select Enable
Periodic Automated Imports. The automated download process will
compare the files on Secure Computing’s FTP site to the files currently
on the Sidewinder G2. Only those patches not already present on your
system will be loaded.
In the Frequency field, specify how often the Sidewinder G2 will
automatically access the FTP site and download the latest patches. The
options are:
daily—Checks for new patches to download every day.
weekly—Checks for new patches to download every seven days.
monthly—Checks for new patches to download every 30 days.
bimonthly—Checks for new patches to download every 60 days.
Note: A cron job defines the exact day and time the download will occur. By default
the download will occur very early in the morning.
4. To have a report e-mailed to the Sidewinder G2 administrator each time
the Sidewinder G2 attempts an automatic import from the FTP site,
select Generate E-mail Report. A report is generated regardless of
whether a patch is actually downloaded. The report is e-mailed to the
root e-mail alias on the Sidewinder G2.

Loading and installing patches
5. Click the Save icon to save any information you entered, or click Cancel
to reset changes to their original values.
To import a patch from CD-ROM or diskette:
Typically, patches are downloaded via the network (using FTP). If
your site requires patch installation using physical media, you can
burn a patch to a CD using the CD burning software of your choice
(such as Roxio Easy CD Creator). Refer to the CD burning software’s
instructions for information on burning the patch file to CD. (You can
also contact Customer Service for general instructions.)
1. In the Import from CDROM/Diskette area select the location of the patch
you want to load. The options are:
CDROM—Select this option if the patch resides on CD.
Diskette—Select this option if the patch resides on diskette.
2. Insert the CD-ROM or diskette into the appropriate drive on the
Sidewinder G2 and click Import Now.
Note: If the patch resides on multiple diskettes, insert the first diskette, click Import
Now, and follow the on-screen prompts.
The patch(es) are loaded onto the Sidewinder G2.
Installing a patch
Patches that you load or download are not automatically installed.
Rather, you can install them at a time that is convenient for you. This
is important because the Sidewinder G2 must be rebooted during the
installation process. The Admin Console allows you to define exactly
when you want patch installation to occur.
Important: If you have an existing HA or One-To-Many cluster, refer to the appropriate
patch Release Notes for information on installing a patch on an HA or One-To-Many
cluster. Release Notes for each patch (as well as a Documentation Addendum, when
applicable) are available on the Secure Computing Web site.
To install a patch, select Firewall Administration -> Software Management,
then select the Install tab. A window similar to the following appears:
Important: It is recommended that you perform a system backup before installing any
patches. See “Backing up system files” on page F-4 for details.
General System Tasks 3-45

Loading and installing patches
Figure 3-21. Software
Management: Install tab
Entering information on the
Install tab
3-46 General System Tasks
The Install tab is used to install a patch that is already loaded on the
Sidewinder G2. To install a patch, follow the steps below.
Important: If you have an existing HA or One-To-Many cluster, refer to the appropriate
patch Release Notes for information on installing a patch on an HA or One-To-Many
cluster. Release Notes for each patch (as well as a Documentation Addendum, when
applicable) are available on the Secure Computing Web site.
1. Select the patch(es) you want to install from the Package table. This
table lists all the patches currently installed or available for installation
on the Sidewinder G2. To select multiple patches, press the Ctrl key as
you select the patch names.
2. Select the Enable Automated Package Install check box to activate the
installation options. (A check mark appears when the field is enabled.)
You cannot select an installation option unless this check box is
selected.
Note: To cancel a scheduled automated patch installation, disable this field and
click the Save icon.

Loading and installing patches
3. Select an installation option for the patch(es) you selected. The
following options are available:
Install Immediately—Select this option if you want to install the
selected patch(es) as soon as you click the Save icon.
Note: The Admin Console will be disconnected when the Sidewinder G2 begins its
reboot process. Wait a few minutes for the reboot process to complete, then try
reconnecting.
Install Later—Select this option to specify a date and time in the
future that you want to automatically install the selected patch(es).
4. [Conditional] If you selected Install Later in the previous step, fill in the
following information:
Date—Specify the date the automatic patch installation will be
performed. A typical practice is to define a date when you expect
very little network traffic (for example, a holiday).
Time—Specify the time of day that the patch installation will be
performed. A typical practice is to define a time when you expect
very little network traffic (for example, 2:00 a.m.).
5. [Optional] If you want a report e-mailed to the Sidewinder G2
administrator each time a patch is automatically installed, select the
Generate E-mail Report check box. If this check box is selected, the
report is e-mailed to the root e-mail alias on the Sidewinder G2.
6. Click the Save icon to save the changes and to implement the install.
Note: In the unlikely event that the patch installation fails, refer to “If a patch installation
fails” on page F-23 for troubleshooting information.
7. Once the Sidewinder G2 has finished installing the patch and has been
rebooted, launch the Admin Console. You will be prompted to load and
install the Admin Console update for the patch. To upgrade the Admin
Console, follow the prompts that appear.
Note: The Admin Console program will exit automatically during the update
process.
General System Tasks 3-47

Modifying the burb configuration
Modifying the
burb
configuration
Figure 3-22. Burb
Configuration window
Entering information on the
Burb Configuration window
3-48 General System Tasks
.
A burb is a type enforced network area used to isolate network
interfaces from each other. The burbs in your Sidewinder G2 are
initially defined during the installation process. Using the Admin
Console you can create new, modify, and delete burbs.
To modify your burb configuration, start the Admin Console and
select Firewall Administration -> Burb Configuration. The following
window appears.
This window allows you to add, modify, or delete burbs within your
current configuration. Follow the steps below.
Note: You can configure a maximum of 24 burbs on a Sidewinder G2.
1. Do one of the following:
To create a new burb, click New. In the Create New Burb window,
enter a name for the new burb. Click OK to return to the Burb
Configuration window and configure the burb.
To modify a burb, highlight the burb in the Burbs list. The settings
for that burb will appear in the right portion of the window.
To delete a burb, highlight the burb in the Burbs list and click
Delete.
Note: You cannot delete a burb that is currently referenced elsewhere on the
system (for example, a rule or interface configuration). To determine whether a
burb is currently being referenced, highlight the burb and click Usage.
To view all areas where a burb is currently being used, highlight
the burb in the Burbs list and click Usage. The Burb Usage window
appears listing every area in which the burb is currently used.
When you are finished viewing the information, click Close to
return to the Burb Configuration window.

Modifying the burb configuration
2. The following settings may be enabled or disabled for each burb:
Hide port unreachables—If this parameter is enabled, the
Sidewinder G2 will give no response if a node on the network
attempts to connect to a port on which the Sidewinder G2 is not
listening. This increases security by not divulging configuration
information to potential hackers.
Intra-burb packet forwarding—If enabled, traffic will be forwarded
between network interfaces located within this burb. Disabling
this parameter in a burb with two or more network interfaces has
the effect of separating the interfaces. This parameter should be
disabled in burbs with only one network interface.
Note: There is an interaction between the Intra-burb packet forwarding
parameter and NAT. NAT changes the source address of outbound packets to
the IP address of the Sidewinder G2 in the external (outgoing) burb. If multiple
interfaces exist in the same burb, that Sidewinder G2 has to select an
appropriate address based upon how it routes packets. By enabling this option,
the Sidewinder G2 must choose one of the interfaces for the source address. In
this case the Sidewinder G2 will always choose the address of the first interface
in the burb. Problems could occur if the destination is not defined to use the
same route back to the Sidewinder G2.
Honor ICMP redirects—ICMP messages are used to optimize the
routes for getting IP traffic to the proper destination. On a trusted
network, honoring ICMP redirects can improve the throughput of
the system. On an untrusted network, ICMP redirects can be used
by hackers to examine, reroute, or steal network traffic. Enabling
this parameter allows the Sidewinder G2 to honor ICMP redirects.
Respond to ICMP echo and timestamp—ICMP echo and timestamp
messages (also known as ping messages) are used to test
addresses on a network. The messages are a handy diagnostic tool,
but can also be used by hackers to probe for weaknesses. Enabling
this parameter allows the Sidewinder G2 to respond to these
messages.
3. In the Internet burb drop-down list, specify which of the burbs defined
on the Sidewinder G2 is the Internet burb. The Internet burb is unique
because it is the only burb that communicates directly with the outside
world.
4. Click the Save icon to save your changes.
General System Tasks 3-49

Modifying the interface configuration
Modifying the
interface
configuration
Figure 3-23. Interface
Configuration window
3-50 General System Tasks
.
The network interfaces defined for your Sidewinder G2 are initially
defined during the installation process. The Sidewinder G2 supports
up to 24 interfaces. (If you have more than 24 interfaces on your
system, the Sidewinder G2 will use the first 24 interfaces that are
detected.) Using the Admin Console you can configure the media
type, the IP address, the subnet mask associated with an interface,
and the burb assigned to an interface. You can also enable hardware
acceleration and TCP checksum offloading.
To modify your interface configuration, start the Admin Console and
select Firewall Administration -> Interface Configuration. The following
window appears.
About the Interface Configuration main window
The Interface Configuration main window contains an Interfaces tab
(in the upper portion of the window) that displays the configuration
settings for each interface on the Sidewinder G2 in a table format. The
Configuration tab (in the lower portion of the window) displays the
configuration information for the interface that is selected in the
Interfaces table. For a description of each interface field, see
“Modifying the Configuration tab” on page 3-51. You can perform the
following actions in the Interface Configuration window:
Note: The Hardware Acceleration tab will only appear if you are using a supported
hardware accelerator. For information on the Hardware Accelerator tab, see “About the
Hardware Acceleration tab” on page 3-53.

Modifying the
Configuration tab
Modifying the interface configuration
To view the status of all interfaces, click Media Status. The Media
Status window provides a table listing all of the available
interfaces, the corresponding IP address, and the status of each
interface (connected or disconnected). When you are finished
viewing the status, click Close.
To delete an interface, highlight the interface and click Delete.
Note: You can only delete interfaces that are disabled and have the NIC removed.
To modify an interface, highlight that interface in the table. The
configuration information appears in the Configuration tab in the
lower portion of the window. (You can also highlight the
appropriate table row and click Modify to access the configuration
information in a separate window.)
To switch the interface configuration settings between two
interfaces, highlight the two interfaces for which you want to swap
properties (you will need to press and hold the Ctrl key to select
multiple interfaces), and then click Swap Parameters. You will
receive a warning message indicating that the system may not
function properly until it is rebooted. To swap the parameters,
click Yes and be sure to reboot your system. To cancel, click No.
Caution: Swapping interface parameters after you have initially configured your
Sidewinder G2 could have unexpected results. This process should only be used
immediately after installation, or when an interface has been added or replaced.
The Configuration tab displays the interface name and MAC address
that you are modifying. The following interface settings can be
modified:
Enabled—To enable an interface, select On. To disable an interface,
select Off.
Note: You must select a burb in the Burb field before you can enable an interface.
IP Address—To modify the IP address, enter the new IP address in
this field.
Network Mask—To modify the Network Mask, enter the new
network mask in this field. The value specified is used to identify
the significant portion of the IP address.
Burb—To modify the burb, select the appropriate burb for this
interface from the drop-down list.
General System Tasks 3-51

Modifying the interface configuration
3-52 General System Tasks
Media Type—To modify the media type, select the appropriate
media type from the drop-down list.
Hardware Capabilities—This option will only appear if the interface
you are modifying has hardware capabilities that can be
configured. To select all of the available options, click Select All. To
deselect all options, click Deselect All. The following options may
be available for selection:
— rxcsum: Enable transmission of checksum offload for IPv4
packets.
— txcsum: Enable reception of checksum offload for IPv4
packets.
— tcpseg: Enable TCP/IPv4 segmentation offload for large
packets.
When you are finished modifying the interface, click the Save icon to
save your changes. (If you modified the interface in a separate
window, you will need to click OK to return to the Interface
Configuration window.)
About the Aliases tab
The Interface Configuration Aliases tab contains an Interface Aliases
table that displays any alias IP addresses defined for the selected
network interface. Alias IP addresses are used in Multiple Address
Translation (MAT). Adding alias IP addresses to a network interface
can be used for a number of purposes:
Specific logical networks connected to one interface can be
consistently mapped to specific IP aliases on another interface
when address hiding is used.
The NIC can accept connection requests for any defined alias.
The NIC can communicate with more than one logical network
without the need for a router.
The NIC can have more than one address on the same network
and have DNS resolve different domains to each host address.
To delete an alias IP address, select the item, and click Delete.
To add or modify an alias IP address, select the item, click New or
Modify, and see “About the Aliases: New/Modify Network Alias
window” below.

About the Aliases: New/
Modify Network Alias
window
Modifying the interface configuration
To add or modify an alias IP address in the Interface Configuration:
Aliases window, follow the steps below.
1. In the Network Address field, select the appropriate network address for
the interface you want to configure.
2. In the Alias Address field, type the alias IP address that will be associated
with the network interface selected in the Interface Configuration
window.
3. In the Network Mask field, type a network mask. The value specified is
used to identify the significant portion of the IP address.
4. Click OK to add the alias IP address, or click Cancel to return to the
Interface Configuration window without saving your changes.
After adding or modifying an entry you should be able to ping the
address from an external device, unless the Respond to ICMP echo and
timestamp parameter is disabled for this burb. See “Entering information
on the Burb Configuration window” on page 3-48.
5. Click the Save icon to save the changes.
About the Hardware Acceleration tab
The Hardware Acceleration tab will only appear if you are using a
supported hardware accelerator. The Hardware Acceleration tab
contains a table listing the supported hardware accelerators that are
currently installed on the Sidewinder G2. The following table columns
appear:
Hardware Accelerator—This column lists the type of hardware
accelerator (for example, Cavium).
Accelerator Type—This column lists the type of hardware
acceleration (for example, SSL).
Enabled—This column lists whether the hardware accelerator is
enabled (On) or disabled (Off).
To enable a hardware accelerator, select the hardware accelerator you
want to enable and click Enable.
To disable a hardware accelerator, select the hardware accelerator you
want to disable and click Disable.
Click the Save icon to save your changes.
General System Tasks 3-53

Modifying the static route
Modifying the
static route
Figure 3-24. Static
window
3-54 General System Tasks
Traffic between machines on different networks or subnets requires
routing. Each computer must be told where to direct traffic it cannot
deliver directly; this “default gateway” is generally a router which
allows access to distant subnets.
A “default route” (route of last-resort) is used to specify the IP address
where packets are forwarded that have no explicit route. It is usually
the IP address of a router (for example, a Cisco box) that will forward
packets to your Internet Service Provider (ISP).
Note: For more detailed information on routing, please refer to "Routing options" in the
Sidewinder G2 Startup Guide.
On the Sidewinder G2, this default route is typically defined while
using the Configuration Wizard during the initial configuration
process. Once it is set it rarely needs to change; hence it is also
known as a static route. However, if your network configuration
should change, you may find it necessary to change this static route.
You can do this using the Admin Console. To change a static route,
select Services Configuration -> Routing -> Static. The Static window
appears.

Modifying the static route
About the Static window The Static window contains a static route definition table that lists all
of the route definitions. To modify the static routes currently defined
on the Sidewinder G2, follow the steps below.
About the Static: Route
window
Note: Interface routes cannot be modified or deleted.
1. To change the IP address of the router that is used as your default or
"static" route, type the new address in the Default Route field. The
address must be entered using standard quad notation.
Note: If your Sidewinder G2 is defined with two DNS servers, the IP address for the
static route must be an address on the external burb.
2. Perform one of the following actions:
To add a static route, click New. The Static Route window appears.
Proceed to step 3.
To modify an existing static route, highlight the route you want to
modify and click Modify. The Static Route window appears.
Proceed to step 3.
To delete an existing static route, highlight the route you want to
delete and click Delete. When you click this button, the system
checks for any sessions that are currently using the address that
you want to delete. If the address is in use, you will not be allowed
to delete the entry. Proceed to step 8.
3. In the Entry Type field, select the type of route: Net or Host.
4. In the Net/Host Address field, type the subnet address for this route.
5. In the Gateway field, type the gateway address the route will use.
6. [Conditional] In the Net Mask field, type the network mask that will be
used for this route. This field is only available if Net is selected in the
Entry Type field.
7. Click Add to add the information you entered to the static route
definition table. (To exit the window without saving your changes, click
Close.)
8. In the Static window, click the Save icon to write all non-interface routes
to /etc/gateways and automatically add changes to the current routing
table, or click Cancel to cancel the change.
General System Tasks 3-55

Configuring remote Admin Console management
Configuring
remote Admin
Console
management
Figure 3-25. Remote
Administration tab
About the Remote
Administration tab
3-56 General System Tasks
The Sidewinder G2 is managed remotely from a Windows machine.
Before you can establish a connection to the Sidewinder G2, you must
configure the Sidewinder G2 to accept administration via the Admin
Console. This is typically enabled via the Configuration Wizard during
initial Sidewinder G2 configuration. Use the following steps to enable
or disable administration in a particular burb.
Start the Admin Console and select Firewall Administration -> UI Access
Control. A window similar to the following appears.
This window allows you to enable management for the Sidewinder
G2 using the Admin Console. When enabled, users with
administrative privileges will be able to connect to and administer the
Sidewinder G2 from a Windows machine. You can enable Admin
Console management on a per burb basis. For example, if you enable
Admin Console management for Burb A but not Burb B, only those
users with access to the interfaces assigned to Burb A will be able to
administer the Sidewinder G2 using an Admin Console.
Note: For information on configuring the Firewall Certificate tab, see “Configuring and
displaying firewall certificates” on page 13-37.
Follow the steps below to configure Admin Console management.
Note: Admin Console management is typically enabled via the Configuration Wizard
during initial Sidewinder G2 configuration.

About the SSL certificate
fields for the Admin
Console
Enabling and
disabling multiprocessor
mode
Enabling and disabling multi-processor mode
1. In the Allow Secure Sessions From list, select the burbs that will allow
administration access from a Windows system. Connections to the
burbs in this list are encrypted using SSL.
2. In the Secure Ports field, specify the range of ports on which secure
sessions will be allowed.
Note: See “NSS regulation of valid ports for the Admin Console” on page 1-16 for
details on selecting valid ports.
3. Click the Save icon to save your changes. To configure the SSL certificate
fields for the Admin Console, see the following section.
The Admin Console provides secure access to the Sidewinder G2
using the Secure Socket Layer (SSL) protocol. The SSL protocol
requires the use of certificates by both the client and the server when
creating the secure connection. Follow the steps below to configure
the SSL certificate for the Admin Console.
Important: Secure Computing recommends assigning a new certificate to the Admin
Console before using the Sidewinder G2 in an operational environment.
A default SSL certificate is initially assigned to the Admin Console.
When using the Sidewinder G2 in an operational environment,
however, it is highly recommended that you assign a different
certificate to the Admin Console. For more information, see “Assigning
new certificates for Admin Console and synchronization services” on
page 13-43.
To assign a new SSL certificate to the Admin Console, select the
certificate from the Certificate drop-down list. Only self-signed, RSA
certificates that are defined in Services Configuration -> Certificate
Management in the Firewall Certificates tab are displayed in this field.
The Firewall Certificates tab is used to define a new certificate for use
by the Admin Console. After creating the new certificate you can
return to the UI Access Control window and assign the new certificate
to the Admin Console.
The Sidewinder G2 supports the use of dual-processor platforms. If
your hardware platform contains a second CPU, you might consider
enabling this feature if your site meets one of the following
conditions.
Your site is passing large volumes of e-mail.
Your site is generating large volumes of audit data.
General System Tasks 3-57

Configuring the Sidewinder G2 to use a UPS
Configuring the
Sidewinder G2 to
use a UPS
3-58 General System Tasks
To enable the use of the second processor, perform the following
steps.
1. Enter the following command at a Sidewinder G2 command line to
switch to the Admn domain:
srole
2. Type one of the following commands to enable the multi-processor
feature.
If you want to test how multi-processor mode works on your
system, but you do not want it enabled permanently, type the
following command. You can skip step 4 if you use this command.
cpu mp
If you have tested multi-processor mode and are confident
enough to enable it permanently, type:
touch /etc/mp.config
3. Reboot the Sidewinder G2.
4. Check to see that the second CPU is active by typing the following
command.
cpu stat
If you encounter a problem enabling the second processor, it might
indicate that you need to modify the /etc/boot.default file or the
/etc/mp.config file by adding the proper interrupts or command
overrides for your specific hardware platform. Contact Secure
Computing Technical Support if you have questions or problems.
Once multi-processor mode is enabled, the only way to disable it is to
delete the /etc/mp.config file and reboot the Sidewinder G2.
Many organizations connect the Sidewinder G2 to an Uninterruptible
Power Supply (UPS). This allows the Sidewinder G2 to continue to be
operational if a power outage occurs. If the power outage is long
enough, however, the battery in the UPS will begin to fail. To avoid an
uncontrolled shutdown, you can configure the Sidewinder G2 to
initiate an orderly shutdown before the UPS fails. The Sidewinder G2
is much more likely to restart in a good condition following an orderly
shutdown than from an uncontrolled shutdown.

Figure 3-26. UPS
Configuration window
About the UPS
Configuration window
Configuring the Sidewinder G2 to use a UPS
Configuring the Sidewinder G2 to use a UPS
To configure the Sidewinder G2 to use a UPS, select Services
Configuration -> Servers and select upsd in the list of server names. Click
the Configuration tab. The following window appears.
The UPS Configuration window enables you to configure how the
Sidewinder G2 will interact with an uninterruptible power supply. The
window contains the following fields.
UPS Serial Port—Click the drop-down list to select the Sidewinder
G2 port being used to monitor the UPS.
If you are using a Sidewinder G2 Security Appliance, your system
will only support COM1 port (COM2 is not supported). Therefore,
you cannot enable the uninterruptible power supply (UPS) service
AND connect a console directly on your Sidewinder G2 on the
COM1 port at the same time. Doing so will cause your Sidewinder
G2 Security Appliance to shutdown immediately. If this happens,
you must do one of the following:
— Disable upsd and use a serial console: Disconnect the Sidewinder
G2 console, disable upsd using the Admin Console, and then
reconnect to the Sidewinder G2 console.
— Remove the serial console and use upsd: Disconnect the
Sidewinder G2 console, and then connect the UPS cable.
Battery Time—Specify the estimated amount of time (in seconds)
that the UPS battery will last before running low. The Sidewinder
G2 will initiate an orderly shutdown when this timer expires,
regardless of the amount of battery power remaining in the UPS.
General System Tasks 3-59

Configuring the Sidewinder G2 to use a UPS
3-60 General System Tasks
Enabling/disabling the UPS server
1. Select Services Configuration -> Servers.
2. Select upsd from the list of server names.
3. Click Enable or Disable.
Enabled—Indicates the Sidewinder G2 is configured to use a UPS.
If a power outage occurs, the Sidewinder G2 will monitor the UPS
and will perform an orderly shutdown when the UPS battery
begins to run low.
Disabled—Indicates the Sidewinder G2 is not configured to use a
UPS. If a power outage occurs and the Sidewinder G2 IS connected
to a UPS, the Sidewinder G2 will not monitor the UPS and will not
perform an orderly shutdown when the UPS battery begins to run
low.
4. Click the Save icon.

C HAPTER 4
Understanding Policy
Configuration
About this chapter This chapter provides an overview of the pieces that comprise your
security policy: rules, rule elements, and Application Defenses. It also
provides useful examples to assist you in building rules and
organizing them into the groups that you use to enforce your security
policy.
Policy
configuration
basics
This chapter covers the following topics:
“Policy configuration basics” on page 4-1
“Rule elements” on page 4-6
“Application Defenses” on page 4-14
“Proxy rule basics” on page 4-17
“IP Filter rule basics” on page 4-28
Your site’s security policy is implemented and enforced by applying
rules to all traffic that passes through the Sidewinder G2. Each rule is
basically a mini policy that contains criteria which are used to inspect
incoming or outgoing traffic. Rules determine whether that traffic will
be allowed to continue to its destination. There are two distinct rules
types that you can configure on the Sidewinder G2:
Proxy rules—Proxy rules allow you to control access to Sidewinder
G2 proxies and servers. Proxy rules determine whether traffic will
be allowed through the Sidewinder G2 or denied using various
criteria such as source and destination address.
Note: When you are configuring proxy rules for a particular proxy or service, you
must ensure that the corresponding proxies and/or servers have also been enabled
and configured before the rule will pass traffic.
IP Filter rules—IP Filter rules allow you to configure your
Sidewinder G2 to securely forward IP packets between networks.
IP Filter rules operate directly on the IP packets, allowing you to
configure filtering for TCP/UDP and non-TCP/UDP traffic passing
between networks.
4
Understanding Policy Configuration 4-1

4
Policy configuration basics
Figure 4-1. Basic rule
group structure
4-2 Understanding Policy Configuration
After you plan and create all of the rules you need to enforce your
security policy, you can organize them into sets, called rule groups. A
rule group can consist of both rules and nested rule groups. A nested
rule group is a rule group that you place within another rule group.
You can nest multiple rule groups within a rule group.
Figure 4-1 demonstrates the basic structure of a rule group that uses
nested rules.
Sample rule group
Rule 1
Rule group A
Rule group B
Rule 9
Rule Rule 21
Rule 3
Rule 4
Rule 5
Rule 6
Rule 7
Rule 8
While you can create numerous rules and groups, the Sidewinder G2
will only load and use the rules contained in the groups that you
select in the Active Rules window. These active rules are the rules that
enforce your security policy. When you select the active rule groups
(you can select one active proxy group and one active IP Filter
group), those groups begin actively monitoring traffic coming into
and leaving the Sidewinder G2. All rules and rule groups that are not
part of the active rules will remain inactive unless you add them to an
active rule group. You can modify your existing active rule group to
add or delete rules and/or nested rule groups as your security needs
change. You can also re-organize the rules within a group as needed.
When you select an active group, the individual rules and the rules
within nested groups are extracted into a single table of ordered rules
as shown in Figure 4-2.

Figure 4-2. Example of
active rules
rule group
Rule 1
Rule group A
Rule group B
Rule 9
active rules
Rule 1
Rule 2
Rule 3
Rule 4
Rule 5
Rule 6
Rule 7
Rule 8
Rule 9
Policy configuration basics
contents of
rule group A
contents of
rule group B
The rules within an active group are processed in sequential order.
When traffic arrives at the Sidewinder G2, it will first be processed by
the active IP Filter rules. If the traffic does not match any IP Filter
rules, it is forwarded on to the active proxy rules. If a rule match is
found, the traffic is processed according to that rule and will not be
processed by any other rules. Therefore, the order of the rules and
nested rule groups within an active rule group is very important.
The rule groups you specify in the Active Rules window (one for
proxy and one for IP Filter) work together as follows: All traffic
coming into and leaving the Sidewinder G2 is compared to any active
IP Filter rules that you have configured. The IP Filter rules examine
packets at the IP layer. If a match is not found in the IP Filter rules,
the traffic is then examined by the active proxy rules, which examine
the traffic at the Application layer.
Understanding Policy Configuration 4-3

Policy configuration basics
Figure 4-3. Traffic
passing through the
active rule groups
4-4 Understanding Policy Configuration
traffic
1. Traffic enters the
Sidewinder G2 and
is processed by the
active IP FIlter rules.
active IP Filter rules active proxy rules
Rule group
Rule
Rule group
Rule group
Rule
2. No match is found, so
traffic is forwarded to the
active proxy rules.
Rule group
Rule group B
Rule group
Rule
Rule
3. A match is found in Rule
Group B. The traffic is
processed by the rule
specifications.
Tip: Always place the deny_all rule at the end of the active proxy rules list. This rule
denies any traffic that reaches it. Therefore, any rules that are listed after the deny_all rule
will not process any traffic.
An example of traffic being processed by the active rules
The following scenario walks you through the basic process used by
the Sidewinder G2 to process an outbound Telnet connection request.
For simplicity, this scenario assumes that the active rules table consists
of the following items:
Some non-TCP/UDP IP Filter rules.
A rule called NetMeeting that allows users to utilize audio and
video conferencing components for NetMeeting ® .
A rule group called Administration, which allows Sidewinder G2
administrators to access the Sidewinder G2.
A rule called InternetServices, which includes a service group that
allows access to the most commonly used Internet services,
including Telnet. (For information on service groups, see “Service
groups” on page 4-12.)
A deny_all rule that will deny any requests that did not match any
other rules. This rule acts as a safeguard against traffic that did not
meet any rule criteria, and may or may not be desirable depending
on your site’s security policy.

Policy configuration basics
The following steps outline the basic processing that takes place
when an outbound Telnet connection request arrives at a Sidewinder
G2 with the above active rules in place.
1. A outbound Telnet request arrives at the Sidewinder G2.
2. The request is processed by the active IP Filter rules. No match is found,
so the request is forwarded to the active proxy rules.
3. The request is processed by the first rule in the Active Rules table, which
is the NetMeeting rule. The request does not match the rule criteria.
4. The request is forwarded to the next rule in the table, a rule group called
Administration, and is inspected in sequential order by each rule
contained within that group. No match is found in this rule group.
5. The request is forwarded to the next rule in the table, a rule called
InternetServices. A match is found (because the telnet proxy is included
in the service group used in this rule).
6. The request is processed according to the specifications in the
InternetServices rule. The InternetServices rule is an allow rule with NAT
enabled. The request bypasses all other rules and groups contained in
the active rules table, the internal address of the request is translated,
and the request is granted.
Ordering proxy rules within a rule group
The order in which rules and nested groups appear in the active rule
group is significant. When the Sidewinder G2 is looking for a rule
match, it searches the active rules in sequential order (beginning with
the first rule or nested group within the group, then the second, and
so on). The first rule that matches all the characteristics of the
connection request (service type, source, destination, and so on) is
used to determine whether to allow or deny the connection.
Therefore, you should always place rules that allow or deny the most
frequent traffic near the top of an active rule group to reduce the
processing time.
Important: If the characteristics of a connection request matches more than one rule,
the first one it matches will be used and the search will stop.
For example, suppose you want to allow access to FTP services on
the Internet for all systems except those included in a netgroup called
“publications.” The scenarios below illustrate both the incorrect and
correct rule placement.
Understanding Policy Configuration 4-5

Rule elements
4-6 Understanding Policy Configuration
Incorrect placement of rules in a rule group
The following shows a rule group list that is INCORRECT for this
scenario.
Rule 1: Allow FTP service for all internal systems to all external systems.
Rule 2: Deny FTP service for the netgroup “publications” to all external systems.
The first rule in the rule group allows all systems (via a wildcard) to
use FTP and the second rule denies one particular netgroup.
Problem: When a system specified in the “publications” netgroup
requests an FTP connection to somewhere in the Internet, the
Sidewinder G2 will check rule 1 in the active proxy rule group.
Because that rule allows all systems FTP service to the Internet, the
Sidewinder G2 detects a match, stops searching the rule group, and
grants the connection.
Correct placement of rules in a rule group
To deny a particular netgroup in this example, the deny rule should
be placed before the allow rule. The correct way to order the rules in
the rule group for this example is as follows.
Rule 1: Deny FTP service for the netgroup “publications” to all external systems.
Rule 2: Allow FTP service for all internal systems to all external systems.
Important: As a basic guideline when configuring a rule group, place specific rules
before any general (wildcard) rules.
Rule elements Rule elements are the building blocks for your rules and help you
save time and effort by allowing you to group information, reducing
the number of rules you need to create. Rule elements consist of the
following:
Users and user groups—Users can be placed in user groups,
allowing you to apply a single rule to multiple users who share the
same access privileges. See “Users and user groups” on page 4-8.
Note: Users and user groups are used only in proxy rules.

Rule elements
Network objects—Network objects are entities for which you
configure the Sidewinder G2 to allow or deny connections. They
can consist of IP addresses, hosts, domains, netmaps, subnets, or
netgroups. See “Network objects” on page 4-9.
Service groups—A service group is a collection of proxies and/or
servers. When specified in a rule, the rule will regulate access to
all proxies and servers defined within that service group. See
“Service groups” on page 4-12.
Note: Service groups are used only in proxy rules.
Planning for rule elements
In providing network security, the main objective of the Sidewinder
G2 is to enforce a set of rules that reflect your desired security policy.
Properly defining and creating user groups, network objects, and
service groups provides you with building blocks you can use to
create sound rules. Remember, the groups you create and the rules
you define serve as the embodiment of your site’s security policy.
The following list provides guidelines to consider when planning your
rule elements:
Start by considering your security policy. If you do not have a
security policy, see the Perimeter Security Planning Guide (located
on the Sidewinder G2 Management Tools CD) for information on
how to develop one.
Decide if you want to control access based on user groups,
netgroups, or both.
If you want to control access based on user groups, make a list
defining all users, and organize the list by the networking services
they will be granted and authentication methods they must use.
Plan to include all users who require access to the same services
using the same authentication methods in the same group.
Plan to create service groups for each user or netgroup that
requires access to the same services to reduce the number of rules
you need to create.
Understanding Policy Configuration 4-7

Rule elements
4-8 Understanding Policy Configuration
If you want to control access based on netgroups, make a list
defining all your machines, and organize the list by the networking
services they will be granted.
Create a proxy rule for each user group and/or netgroup.
Important: Creating netgroups saves you the trouble of entering multiple versions
of the same proxy rule. It is important to model (define) all network objects for which
you want to allow access before you set up your rules.
Users and user groups
Users are people who use the networking services provided by the
Sidewinder G2. User accounts are a mechanism used to authenticate
people before they are permitted to make a network connection
through (or to) the Sidewinder G2.
Note: Users and user groups are used only in proxy rules.
As described in the following chapter, you can use the Admin Console
to create user accounts which are stored in a user database located on
the Sidewinder G2 or in a separate authentication server. A single
account in a user database includes information such as the user’s
login name and password. (“Supported authentication methods” on
page 9-5 provides detailed information on various methods used to
authenticate users during a the Sidewinder G2 connection attempt.)
A user group is a logical grouping of one or more users, identified by
a single name. Also, a user group can include another “nested” user
group. Figure 4-4 shows an example of two user groups.
Important: User groups can be used in an allow rule only if the specified service
supports authentication (login, Telnet, FTP, Web, secure shell [SSH], or SSO).

Figure 4-4. User Groups
user group
named
“accounting”
user group
named
“engineering”
Rule elements
Figure 4-4, shows five users divided into two user groups:
“Accounting” and “Engineering.” Suppose you want to allow both
user groups Telnet access to the Internet. Also suppose you want to
authenticate the “Accounting” user group differently from the
“Engineering” user group. In this example you create two nearly
identical rules to allow Telnet access, one for each user group. The
only difference in the rules for each user group would be the
authentication method you specify for each group.
Network objects
internal
network
Sidewinder G2
Internet
A network object is an entity for which you configure the Sidewinder
G2 to allow or deny connections. A network object can be an IP
address, a host, a network domain, a netmap, a subnet, or netgroup.
When you create rules, you must specify a network object as the
source or destination of the connection. (You may also select the All
option, which serves as a wildcard.) The following subsections
provide an overview of how each network object is used.
Note: IP Filter rules can only use IP address, subnet, and some host (localhost) network
objects.
Understanding Policy Configuration 4-9

Rule elements
4-10 Understanding Policy Configuration
Domain network objects
A domain network object is registered by the Internet community.
Registered domain names typically end with a three letter suffix such
as .edu (for education sites) or .com (for commercial sites). For
example, a domain name could be specified as bizco.net. See
“Configuring domain objects” on page 5-12 for more information.
Host network objects
A host network object is an individual machine connected to the
network. When specifying a host object, you must use a host name
that is resolvable by DNS, or provide at least one IP address that is
resolvable by DNS. See “Configuring host objects” on page 5-13 for
more information.
IP address network objects
A network object can be an IP address of an individual machine
connected to the network. A machine can have more than one IP
address. See “Configuring IP address objects” on page 5-15 for more
information.
Netmap network objects
Many organizations use network address translation (NAT) and/or
redirection to prevent internal addresses from being visible to external
users. On the Sidewinder G2, NAT refers to rewriting the source
address of the packet, while redirection refers to rewriting the
destination address of the packet.
For example, when a user sends a packet from an internal IP address
on the Sidewinder G2 to an external IP address, the Sidewinder G2
intercepts the packet. If NAT is enabled for the matching rule, the
Sidewinder G2 re-assigns (or translates) the source address to its
external address (or an address you specify). Therefore, all traffic
leaving your system appears to come from a single external IP
address.

Rule elements
If an organization requires many different address translations for
multiple IP addresses, you would normally need to create an
individual rule for each different NAT or redirection scenario, which
can become difficult to manage. However, using netmaps you can
map multiple IP addresses and subnets to alternate addresses without
creating numerous rules.
A netmap consists of one or more netmap members. A netmap
member is any IP address or subnet object that you define. Each
member in the netmap is mapped to an alternate address that you
specify. See “Configuring netmaps” on page 5-16 for more
information.
When creating a rule, you can use netmaps as follows:
If you select a netmap in the source address field for a rule, the
appropriate NAT properties are automatically supplied based on
the mapping configured for each IP address or subnet in that
netmap.
If you select a netmap as the destination address in a rule, the
appropriate redirection properties are automatically supplied
based on the mapping configured for each IP address and subnet
in that netmap.
Subnet network objects
A subnet network object is a subset of a larger network, and consists
of a network address and a subnet mask. A subnet object defines a
range of IP addresses within a specific subnet. See “Configuring
subnet objects” on page 5-17 for more information.
Note: For more information on subnets, refer to Section 13.4 in the UNIX System
Administration Handbook, third edition.
Netgroup objects
A netgroup object consists of two or more network objects, identified
by a single name. For example, you can define a netgroup that
includes a number of domains, several hosts that are outside of these
domains, and a subnet. See “Configuring netgroup object” on page 5-
18 for more information.
Note: A netgroup may contain nested netgroups as members.
Understanding Policy Configuration 4-11

Rule elements
Figure 4-5. Netgroup
4-12 Understanding Policy Configuration
Figure 4-5 shows a sample netgroup configuration.
members of
“sales”
network
group
As shown in Figure 4-5, a netgroup named “Sales” is comprised of
two domains within a sales organization and an individual system
using IP address 172.16.12.3. Suppose you want to allow users in all
three of these network objects to access Telnet servers anywhere on
the Internet. You need to create a rule to configure the connection,
specifying ‘Sales’ as the source and a wildcard (leave the field blank to
indicate a wildcard) as the destination. Without creating the Sales
netgroup, you would need to make three rules to configure the Telnet
access, one for each network object.
You can create netgroups for network objects that are inside or
outside of the Sidewinder G2. A netgroup can include nested
netgroups.
Service groups
presales.bizco.net
sales.bizco.net
172.16.12.3
A service group is a collection of selected proxies and/or servers.
Once defined, a service group can be used in a proxy rule to regulate
access to the services in the group. There are important administrative
benefits gained by using service groups: While a typical proxy rule
will regulate access for a single proxy or server, a proxy rule that is
implemented using a service group can regulate access for multiple
proxies and/or servers. Grouping services together in this manner
enables you to reduce the overall number of rules you define, which
in turn reduces the overall complexity of your rule database. A less
complex rule database means there is less chance of introducing
errors that may affect the integrity of your security policy. You can
also configure Application Defense groups for rules that use service
groups to specify advanced properties for each proxy included in that
rule. (See “Application Defenses” on page 4-14 for an overview of
Application Defenses.)
Note: Service groups are used only in proxy rules.
internal
network
Sidewinder G2
Internet

Example of a rule that uses a service group
Rule elements
Here’s an example that illustrates the power of a service group.
Assume you have a netgroup named eng_net_grp that consists of all
the engineers in your organization. If you want to grant Web, FTP, and
Telnet access to this group, you might do so by defining three
separate rules. Table 4-1 illustrates how these three rules might look
in the rule database.
Table 4-1. Typical rules not using service groups
No. Name Service Service Type Enabled Action
1 http_out HTTP proxy Enabled Allow
2 ftp_out FTP proxy Enabled Allow
3 telnet_out Telnet proxy Enabled Allow
A better option, however, is to use a service group. This enables you
to accomplish the same thing with one proxy rule. Create a service
group that contains the HTTP, FTP, and Telnet proxies, then use this
service group when defining the proxy rule. Table 4-2 illustrates the
service group you might create, and Table 4-3 illustrates how the
resulting proxy rule will appear in a rule.
Table 4-2. Sample service group
Service Group Name Selected Proxies Selected Servers
EngServGrp HTTP, FTP, Telnet
Table 4-3. Sample proxy rule using a service group
No. Name Service Service Type Enabled Action
1 Eng_rule EngServGrp servicegroup Enabled Allow
Understanding Policy Configuration 4-13

Application Defenses
Application
Defenses
4-14 Understanding Policy Configuration
Please note the following points about service groups:
The services in a service group can be either all allowed or all
denied on a proxy rule. It is not possible to use the same proxy
rule to allow access to a subset of services in a service group while
at the same time deny access to a different subset of services.
Service groups are extremely effective when implemented in a
proxy rule that regulates access for a user group or netgroup. Keep
in mind, however, that all members in the user group or netgroup
must conform to the same security policy (that is they will all be
allowed or denied access to the same collection of services).
Authentication can be configured for a service group rule, even if
not every service in the group permits authentication. The
Sidewinder G2 is able to differentiate which services require
authentication within a group. Mixed service groups
(authenticating and non-authenticating services) are best used with
allow rules. You can use SSO to require authentication for all
services in a service group.
You can define as many service groups as needed.
As always, the sequencing of rules within the active rule group
remains important, regardless of whether a service group is used.
Application Defenses allow you to configure advanced applicationspecific
properties for each proxy, including basic timeout properties
and application-specific permissions. You can also configure key
services such as anti-virus, anti-spam, SSL decryption, and Web
services management.
You can create Application Defenses in advance and then select the
defense for each rule that you create, or you can create defenses
during rule creation. Whether you create Application Defenses in
advance or within a proxy rule, the defense will be saved to a
common database and can be used for other proxy rules without
needing to be recreated for other rules.
Application proxies that allow you to configure connection properties
are included in the Standard Application Defense. (You can also
configure transparency properties for the Telnet proxy within a
Standard Application Defense.) Application proxies that allow you to
configure advanced, application-specific options (such as anti-virus,
application permissions, etc.) as well as connection properties have
their own branch in the Defenses branch (e.g., Web, Secure Web,
Mail, Multimedia).

Application Defenses
You can also create Application Defense groups that allow you to
specify an Application Defense for each category (Web, Secure Web,
Mail, Standard, etc.). Application Defense groups are most useful
when creating rules that use service groups. When you create an
Application Defense group, you can configure and specify an
Application Defense for each application included in a service group.
For an example of how an Application Defense group is used in a
rule, see “Using Application Defense groups and service groups to
minimize rule creation” on page 4-16.
The following list summarizes the various categories of Application
Defenses:
Note: For information on specifying an Application Defense in a proxy rule, see “Creating
proxy rules” on page 7-4.
Web—This category allows you to configure advanced parameters
for HTTP, including header filtering and MIME/virus filtering. For
information on configuring a Web Application Defense, see
“Creating Web or Secure Web Application Defenses” on page 6-4.
Secure Web—This category allows you to configure advanced
parameters for Web-based proxies, such as HTTPS and SSO. For
information on configuring a Secure Web Application Defense, see
“Creating Web or Secure Web Application Defenses” on page 6-4.
Web Cache—This category allows you to configure Squid
parameters for SmartFilter. For information on configuring a Web
Cache Application Defense, see “Creating Web Cache Application
Defenses” on page 6-19.
Mail—This category allows you to configure mail filtering and antivirus
services to ensure that all e-mail traffic is scanned and filtered
before being allowed through to your internal networks. For
information on configuring a mail Application Defense, see
“Creating Mail Application Defenses” on page 6-21.
Citrix—This category allows you to configure advanced ICA proxy
parameters. For information on configuring a Citrix Application
Defense, see “Creating Citrix Application Defenses” on page 6-31.
FTP—This category allows you to configure FTP permissions. For
information on configuring an FTP Application Defense, see
“Creating FTP Application Defenses” on page 6-33.
Understanding Policy Configuration 4-15

Application Defenses
4-16 Understanding Policy Configuration
IIOP—This category allows you to configure filtering properties for
the Internet Inter-ORB Protocol (IIOP) proxy. For information on
configuring an IIOP Application Defense, see “Creating IIOP
Application Defenses” on page 6-34.
Multimedia—This category allows you to configure permissions for
T.120 and H.323 proxies. For information on configuring a
multimedia Application Defense, see “Configuring the IIOP
Connection tab” on page 6-35.
Oracle—This category allows you to configure continuous session
monitoring to prevent spoofing and tunneling attacks while
sessions are in progress for the SQL proxy. For information on
configuring an Oracle Application Defense, see “Creating Oracle
Application Defenses” on page 6-38.
SOCKS—This category allows you to configure advanced properties
for the SOCKS proxy. For information on configuring a SOCKS
Application Defense, see “Creating SOCKS Application Defenses”
on page 6-41.
SNMP—This category allows you to configure advanced properties
for the SNMP proxy. For information on configuring an SNMP
Application Defense, see “Creating SNMP Application Defenses”
on page 6-42.
Standard—This category allows you to configure connection
properties for application proxies that do not require additional
configuration options. You can also configure transparency
properties for the Telnet proxy. For information on configuring a
standard Application Defense, see “Creating Standard Application
Defenses” on page 6-45.
Using Application Defense groups and service groups to
minimize rule creation
The pre-configured rule called InternetServices uses a service group
by the same name (InternetServices). This service group consists of
multiple applications such as HTTP, HTTPS, FTP, ping, and Telnet that
require Internet access. Using an Application Defense group in this
rule allows you to configure advanced, application-specific properties
for each service contained in that service group without creating a
separate rule for each application. The following table lists the
applications that are contained in the InternetServices service group
and how each application utilizes the Application Defense group.

Proxy rule basics
Table 4-4. Application Defense group used in the InternetServices rule
Service Group Apps Application Defense Used in Group
finger Standard (finger-specific connection properties)
ftp FTP (FTP allowed permits, connection properties)
gopher Standard (gopher-specific connection properties)
http Web (header filtering, MIME/virus filtering, etc)
https SecureWeb (SSL decryption, MIME/virus filtering, etc)
nntp Standard (nntp-specific connection properties)
ping Standard (ping-specific connection properties)
RealMedia Standard (RealMedia-specific connection properties)
rtsp Standard (rtsp-specific connection properties)
telnet Standard (Telnet-specific connection properties)
Proxy rule basics The following subsections provide information on the basic
components that comprise a proxy rule.
Note: This section provides an overview of proxy rules. For instructions on creating proxy
rules, see “Creating proxy rules” on page 7-4.
Basic criteria used to allow or deny a connection
Sidewinder G2 determines whether to allow or deny a proxy or server
connection by sequentially checking the rules in the active proxy rule
group for the first match to ALL criteria attributed to the connection
request. When a match is found, the connection will be allowed or
denied based on the option selected in the Action field. The basic
criteria used to allow or deny a connection includes the following:
Note: The Sidewinder G2 uses the first proxy rule that matches all characteristics of the
connection request to determine whether the connection will be allowed or denied.
Understanding Policy Configuration 4-17

Proxy rule basics
4-18 Understanding Policy Configuration
source or destination burb—You can configure a proxy rule to allow
or deny connections based on the source burb, the destination
burb, or both.
source or destination network object—You can configure a proxy rule
to allow or deny connections based on the source network object,
the destination network object, or both. The source or destination
object can be an IP address, a host name, a domain name, a
netmap, a subnet, or a netgroup. A netgroup is a grouping of
network objects defined by the Sidewinder G2 administrator (see
“Network objects” on page 4-9 for more information on
netgroups).
connection service type—You can configure a proxy rule to allow or
deny connections based on the service type providing the
connection in the Sidewinder G2. Service types include:
— All—Allows connection service for both proxies and servers,
but not service groups.
— Proxy—Provides a connection through the Sidewinder G2 in
order to access a remote system.
— Server—Provides a service (such as Telnet) directly on the
Sidewinder G2.
— Service group—Allows multiple proxies and/or servers to be
grouped together and used to define a single proxy rule.
type of network service requested—You can configure a proxy rule to
allow or deny connections based on the type of network service
that will be provided between the client and server. For proxy
connections, the services include FTP, Telnet, and Web (HTTP), as
well as many others.
Optional criteria used to allow or deny a connection
When setting up a proxy rule, you can also specify the following
optional criteria for a connection.
Note: You can specify any of the following criteria in an ’allow’ rule. However, only the
authentication and date/time bullets apply to a ’deny’ rule.

Proxy rule basics
the user requesting the connection—You can configure a proxy rule
to allow connections based on a group for which the user
requesting the connection is a member. A user group is comprised
of multiple users defined by the Sidewinder G2 administrator (see
“Users and user groups” on page 4-8 for more information on user
groups). This option is only valid when using authentication or
SSO.
authentication—You can configure a proxy rule to require the
Sidewinder G2 to authenticate the user requesting the connection
before granting the connection request. Refer to “Supported
authentication methods” on page 9-5 for detailed information on
the types of authentication services you can use.
You can also configure a proxy rule to deny with authentication.
The purpose of this type of rule would be to allow access to everyone
except a specific group of users. For example, you might want
to deny Telnet access to your contractors but allow access for your
regular employees.
Important: If you are not using SSO, configuring a deny with authentication proxy
rule in a mixed service group (authenticating and non-authenticating services like
Telnet and ping, respectively) will deny all non-authenticating services. However, if
SSO authentication is configured, initial authentication will apply to all services
contained in the service group. See “Service groups” on page 4-12 for more
information.
the time and day when the connection request is made—You can
configure a proxy rule to allow or deny connections based on the
time, the day, or both.
Application Defense properties—You can configure a proxy rule to
allow connections based on advanced application-specific
parameters by selecting the appropriate Application Defense. You
can also configure whether the connection will be transparent or
non-transparent for some proxies. See “Application Defenses” on
page 4-14 for information.
Using NAT and redirection in proxy rules
You can configure proxy rules to perform Network Address
Translation (NAT) and/or redirection. On the Sidewinder G2, NAT
refers to rewriting the source address of the packet, while redirection
refers to rewriting the destination address of the packet. This protects
IP addresses behind the Sidewinder G2 (on your internal network).
The following scenarios demonstrate how NAT and redirection work.
Understanding Policy Configuration 4-19

Proxy rule basics
4-20 Understanding Policy Configuration
Scenario 1 - Internal network to external network Telnet access using
NAT
Internal network 172.17.0.0 requires Telnet access to the external
network 192.101.0.0. The IP address of a machine on the internal
network should not be passed through the Sidewinder G2. Traffic sent
from the internal network to the external network should appear as if
it originated at the Sidewinder G2. Therefore, a rule must be created
that will translate the internal host addresses to the external address of
the Sidewinder G2. To allow this type of access, the NAT information
would be configured as follows:
Source Burb: internal
Destination Burb: external
Source: 172.17.0.0 (internal address)
Destination: 192.101.0.0 (destination address)
NAT Address: localhost
Scenario 2 - Redirect external connections to an internal Telnet
server
An external network at 192.101.0.0 requires Telnet access to the
internal host at 172.17.120.123. However, 192.101.0.0 is not allowed to
directly route to the internal host. External hosts will initiate a Telnet
connection to the external side of the Sidewinder G2 (localhost). The
rule will then rewrite the destination address to that of the internal
host and then forward the traffic onward. The TCP/UDP allow
information for the rule could be configured as follows:
Source Burb: external
Destination Burb: internal
Source: 192.101.0.0 (source address)
Destination: localhost
Redirection Address: 172.17.120.123 (internal host)
Simple proxy rule examples
This section provides several examples of proxy rules to help you
better understand how the Sidewinder G2 uses a rule to determine
whether to allow or deny a connection request.

Proxy rule basics
Table 4-5 summarizes criteria for a proxy rule that permits any client
in a trusted burb to connect to any Web server located in the Internet
burb.
Note: This criteria reflects only the basic settings needed to allow access.
Table 4-5. Sample settings for a simple proxy rule
Basic rule
Criteria
Service Type
Setting
There are a number of optional effects you can configure for each
proxy rule. For example, by adding the entry options shown in Table
4-6, you can specify which internal users are allowed Web access,
specify a time interval when Web access is allowed, and require
authentication.
Table 4-6. Optional proxy rule options
Comments
Proxy Software service type: proxy, server, or service
group.
Service HTTP Type of service: Telnet, FTP, Web (HTTP), etc.
Action Allow Specifies whether to allow or deny a service.
Source Burb Internal Name of the source burb.
Source any (leave blank) Name of the source network object.
Dest. Burb Internet Name of the destination burb.
Destination any (leave blank) Name of the destination network object.
App. Defense Web Contains application-specific properties.
Optional Rule
Criteria
Setting
Comments
User Group marketing Specify the name of a user group.
Authentication Password Specify the authentication method(s). FTP
and Telnet proxies and console logins can
also specify Password, Radius, SafeWord,
SecurID, or SNK.
Times/Day Mon-Fri
7am-7pm
Specify the time restrictions for allowing or
denying service.
Important: If you are not using SSO, user groups can be used in an allow rule only if the
specified service supports authentication (login, Telnet, FTP, Web, or secure shell [SSH]).
Understanding Policy Configuration 4-21

Proxy rule basics
Figure 4-6. Sample
Network Configuration
4-22 Understanding Policy Configuration
Example of proxy rules using netgroups
For the configuration shown in Figure 4-5, the Sidewinder G2
administrator has grouped all internal systems into one of three
netgroups: marketing (mkt_net_group), engineering (eng_net_group),
and accounting (acct_net_group).
Note: For more information on netgroups, see “Network objects” on page 4-9.
mkt_net_grp
eng_net_grp
acct_net_grp
internal burb
172.20.1.1
proxies
Sidewinder G2
external burb
192.55.214.2
Internet
192.55.12.3
Suppose you want to allow all groups access to external FTP sites but
only the engineering group access to FTP host 192.55.12.3. Table 4-7
shows the proxy rules in the order that they should be added to the
rule group.

Table 4-7. Proxy rules for sample configuration shown in Figure 4-6
Proxy rule
Criteria
Rule 1:
allow_eng_ftp
Rule 2:
deny_other_ftp
Service Type Proxy Proxy Proxy
Service FTP FTP FTP
Action Allow Deny Allow
Source Burb Internal Internal Internal
Proxy rule basics
Rule 3:
allow_oth_ftp
Source eng_net_group any (leave blank) any (leave blank)
Dest. Burb Internet Internet Internet
Destination 192.55.12.3 192.55.12.3 any (leave blank)
User Group any (leave blank) any (leave blank) any (leave blank)
Authentication SafeWord
Times/Days Fri 7am-7pm
Application
Defense (FTP)
Allow Put/Get deny_all Allow Put/Get
The following list summarizes key points to consider for the proxy
rules listed in Table 4-7.
Rule 1 allows all systems in the engineering group authenticated
FTP access to IP address 192.55.12.3 on the Internet, but only on
Friday between 7:00 a.m. and 7:00 p.m.
Note: This rule requires users to authenticate themselves via SafeWord before an
FTP connection is allowed.
Rule 2 denies all systems in the trusted burb named internal from
FTP service to IP address 192.55.12.3 on the Internet.
Rule 3 allows FTP service from all systems in the internal trusted
burb to any external system in the Internet burb.
Understanding Policy Configuration 4-23

Proxy rule basics
4-24 Understanding Policy Configuration
Advanced proxy rule example using service groups
Now assume you want to specify all the various privileges afforded
each of the three netgroups in Figure 4-7. You could do this by
defining many different allow and deny proxy rules. However,
because the source and destination criteria for each of the network
objects within a group are identical, a more elegant option is to use
service groups. Service groups enable you to use a single proxy rule to
define all the privileges assigned to a particular group.
Note: For more information on service groups, see “Service groups” on page 4-12.
For example, assume you want to assign the following privileges to
each of the netgroups in Figure 4-7:
Engineering group—Access to all Sidewinder G2 proxies and servers
Marketing group—Access to the Web, FTP, and e-mail via the http,
ftp, and smtp proxies
Accounting group—Access to FTP and e-mail via the ftp and smtp
proxies
You first define three different service groups. This is illustrated in
Table 4-8.
Table 4-8. Sample service groups
Service group
Criteria
Selected
Proxies
Selected
Servers
EngServiceGrp MktServiceGrp AcctServiceGrp
All proxies HTTP, FTP, SMTP FTP, SMTP
All servers None None
You then use the service groups when defining your proxy rules.
Table 4-9 shows the sample proxy rules.

Table 4-9. Proxy rules for the advanced rule group example
Proxy rule
Criteria
Active rules for
Administration Only
Entry 1:
eng_rule
Default rules
Entry 2:
deny_other_ftp
Proxy rule basics
As mentioned earlier in this chapter, when you configure the
Sidewinder G2 you can select from one of two sets of default services
that will be automatically placed in the active proxy rule group during
initial configuration:
Administration Services Only
Standard Internet
Entry 3:
mkt_rule
Entry 4:
acct_rule
Service Type Service Group Proxy Service Group Service Group
Service EngServiceGroup FTP MktServiceGroup AcctServiceGroup
Action Allow Deny Allow Allow
Source Burb Internal Internal Internal Internal
Source eng_net_group Any (leave blank) mkt_net_group acct_net_group
Dest. Burb Any (leave blank) Internet Internet Internet
Destination Any (leave blank) 192.55.12.3 Any (leave blank) Any (leave blank)
User Group Any (leave blank) Any (leave blank) Any (leave blank) Any (leave blank)
Authentication SafeWord SafeWord SafeWord
Times/Days
Application
Defense group
Web
FTP
Mail
deny_all Web
FTP
Mail
Web
FTP
Mail
If you select Administration Services Only, a minimum list of rules
(needed to maintain an operational Sidewinder G2) are placed in the
default active rule group, called Administration. No traffic is allowed
between any of the burbs. The minimum set includes the following
rules:
Note: If you select Administration Services Only, the default Standard Internet rules will
still be placed in the Rules window for later use, if needed. However, they will not initially be
included in the active proxy rule group.
Understanding Policy Configuration 4-25

Proxy rule basics
Additional rules for
Standard Internet
4-26 Understanding Policy Configuration
Table 4-10. Administration Services Only active proxy rules and rule groups
Proxy rule name Summary
Login Console This rule allows administrators to log in directly at the
Sidewinder G2, using an attached keyboard and monitor.
Admin Console This rule allows administrators to connect to the
Sidewinder G2 using the Admin Console.
Single Sign-On This rule allows redirection to the Single Sign-On (SSO)
daemon. It is initially disabled. If you will be using SSO
authentication, you will need to enable this rule.
Synchronization This rule allows the synchronization server to access the
burbs for which it is enabled. This rule is initially disabled.
If you configure One-To-Many or High Availability, you
will need to enable this rule.
Entrelay This rule allows relay service access to the burbs for
which it is enabled. This rule is initially disabled. If you are
configuring One-To-Many or High Availability, you will
need to enable this rule.
Shun Server This rule allows shund server to accept shunning
requests from an Intrusion Detection Servers (IDS), and
verify the signature on the data that the IDS has
generated. This rule is initially disabled.
If you selected Standard Internet services, the following additional
rules will be added to the proxy rule list. (The rule names may vary
slightly on your system.)
Note: Rules that are automatically placed in the default active proxy rules are bold.
However, some rules need to be enabled before they will pass traffic.

Mutually
exclusive rules for
Transparent DNS
configurations
Proxy rule basics
Table 4-11. Additional rules and groups included in the Standard Internet rule
set
Rule Name Summary
Internet Services This rule is automatically included in the active proxy
rule group. It provides users access to the most
commonly used Internet services using a preconfigured
“InternetServices” service group. The
Standard Internet rule regulates access to the
following proxies and servers:
Finger
FTP
Gopher
HTTP
HTTPS
NNTP
Ping
Real Media
RTSP
Telnet
NetMeeting This rule is also added to the Rules window, but is not
automatically included in the active proxy rules. If
your site requires NetMeeting access, refer to “T.120
and H.323 proxy considerations” on page 8-22.
dns self Allows DNS clients from the specified internal burb
to use the unbound DNS server on the Sidewinder
G2
Plus the rule below if using transparent DNS with a single external
resolver
dnsp_all_to_external
_resolver
Allow DNS clients in internal burb through to the
external resolver
Plus the rules below if using transparent DNS with a single internal
resolver
dnsp_internal_to
_external
dnsp_external_to_inter
nal_prim_resolver
Allow DNS clients on the internal burb to proxy
through to the external burb
Allow DNS clients on the external burb to proxy
through to the internal primary resolver
Plus the rules below if using transparent DNS with both internal &
external resolver (split)
dnsp_deny_external_to
_internal_resolvers
dnsp_all_to_internal
_resolvers
dnsp_internal_
resolvers_to_external
Deny DNS clients in the external burb to the internal
burb resolvers, used with the
dnsp_all_to_internal_resolvers entry
Allow DNS clients in all burbs to the internal burb
resolvers, used with the
dnsp_deny_external_to_internal_resolvers entry
Allow the internal burb resolvers through to the
external burb
Understanding Policy Configuration 4-27

IP Filter rule basics
Mutually
exclusive rules for
SMTP
configurations
IP Filter rule basics IP Filter rules allow you to securely forward IP packets between
networks, allowing traffic to pass between the networks (for example,
encrypted VPN sessions). You can create IP filter rules for TCP, UDP,
ICMP, and many other protocols (such as AH).
4-28 Understanding Policy Configuration
Rule Name Summary
Plus the rules below if using transparent SMTP
smtp out Allow SMTP access from internal to external. This rule
is created and included in the Mail rule group if you
selected transparent Mail services during
configuration.
smtp in Allow SMTP access from external to internal. This rule
is created and included in the Mail rule group if you
selected transparent Mail services during
configuration.
Plus the rule below if using Secure Split SMTP
smtp all This rule is created and included in the Mail rule
group if you selected Secure Split SMTP servers
during configuration.
Functionally, IP Filter is based upon a rule database in the Sidewinder
G2 kernel. IP Filter rules filter incoming packets based on source and
destination IP address. Like proxy rules, IP Filter rules also have the
option of using network address translation (NAT) and/or redirection.
You can configure and manage the IP Filter rule database using the
Admin Console.
IP Filter processing can be configured to reject the following source
address packets:
Packets with broadcast source addresses
Packets with source addresses on a loopback network that were
received on a non-loopback device
Note: Packets that are rejected for source route information will generate a
netprobe audit event.
When you initially configure the Sidewinder G2, you will have a
default IP Filter rule group that is assigned in the active rules. This
rule group is empty. You can create and add rules and/or rule groups
to this group, or create your own group and assign it as the active rule
group instead.

Figure 4-7. IP Filtering on
non-TCP/UDP packets
incoming
packet A
incoming
packet B
IP Filter rule basics
The following two sections summarize how IP Filtering works for
non-TCP/UDP traffic and for TCP/UDP traffic.
Note: For information on creating IP Filter rules, see “Creating IP Filter rules” on page 7-
12.
Using IP Filter to filter non-TCP/UDP traffic
When a non-TCP/UDP packet is received on one of the Sidewinder
G2 network interfaces, the Sidewinder G2 checks the active IP Filter
rules to determine whether the packet matches any of the allow rules
specified. If a rule match is found, the packet source or destination
address and ports will be translated according to the translation
information that is configured for that rule. The packet then is
forwarded on for any further Sidewinder G2 processing. The
flowchart in Figure 4-7 illustrates this process.
Note: If there are no rules in the IP Filter database, the IP Filter is bypassed and the
Sidewinder G2 performs normal processing on the packet.
active IP
Filter rules
no match
match
Sidewinder G2
Deny Rule
reject packet
no further
processing
allow or
deny rule?
Allow Rule
translate packet
(as rule
required)
continue application
layer proxy
processing
Understanding Policy Configuration 4-29

IP Filter rule basics
4-30 Understanding Policy Configuration
Using IP Filter to filter TCP/UDP traffic
Security Alert: Secure Computing strongly recommends that you use IP Filter only for
non-TCP/UDP protocols, such as Vines, PPTP, NES, etc. Using IP Filter for a TCP/UDP
protocol will, in most cases, severely degrade the effectiveness of the Sidewinder G2 and
will expose your network to security hazards.
When a TCP or UDP packet is received on one of the Sidewinder G2
network interfaces, the Sidewinder G2 checks an IP Filter session
record database to determine if an active session record exists for this
traffic.
Note: The following bullets assume that session tracking is enabled.
If an active session record exists, the following occurs:
— Perform address rewriting, if required
— Perform session processing
— Forward packet directly to the correct destination interface
without any additional processing
If no active session record exists, the Sidewinder G2 checks the IP
Filter allow TCP/allow UDP database to determine if an allow rule
exists that will permit this traffic to be forwarded.
If an allow rule does not exist, normal Sidewinder G2 processing is
performed on the packet.
If an allow rule does exist, the following occurs:
— Add a session record to the session record database
— Perform Network Address Translation (NAT) if required
— Session processing occurs
— Forward packet directly to the correct destination interface
without any additional processing by the Sidewinder G2
The flowchart in Figure 4-8 illustrates the complete process.

Figure 4-8. IP Filtering on
TCP/UDP packets
TCP/UDP
packet
in
does a
session
exist?
yes
translate as
required
perform
session
processing
forward
message w/o
further
processing
no
match
“allow”
rule?
add a
session
perform
additional
processing
Using NAT and redirection for IP Filter rules
IP Filter rule basics
Many organizations use network address translation (NAT) and/or
redirection to prevent internal addresses from being visible to external
users. On the Sidewinder G2, NAT refers to rewriting the source
address of the packet to the external address of the Sidewinder G2 (or
an address you specify). This allows you to protect (or hide) the
actual client source address, and in the case of non-routable source
addresses (such as 10.0.0.0) rewrite it to an address that can be routed
on the Internet. Redirection refers to rewriting the destination address
of an incoming packet to a redirect host for delivery.
yes
no
Sidewinder G2
out
Understanding Policy Configuration 4-31

IP Filter rule basics
Figure 4-9. Example
network
4-32 Understanding Policy Configuration
Note: NAT and redirection function independently of one another. For applications that
allow either side of a connection to act as the client, you will generally create two rules: one
using NAT, and one using redirection.
Caution: Allowing IP Filter to pass traffic without NAT or redirection is possible assuming
all addresses are routable. However, it is not recommended because it will expose internal
addresses to the external side of your Sidewinder G2.
When NAT or redirection is enabled in a rule, the source address in
the rule is always protected, as follows:
For a rule of source-> destination, enabling NAT will "hide" the
source address from the destination for traffic originating from the
source by translating that address to the external address of the
Sidewinder G2.
For a rule of source -> redirect address, the destination (or external
Sidewinder G2 address) will be redirected to the actual source
address and hides the redirected address for traffic returning to the
source.
Note: NAT or redirection are not allowed for bi-directional TCP/UDP IP Filter rules with
session tracking enabled.
For the following scenarios, assume your network looks like this:
172.17.0.0 internal
network
172.17.129.130 10.11.12.13
Sidewinder
G2
Limitations of NAT for IP Filter TCP/UDP protocols
192.101.0.0
external network
Note the following limitations when setting up rules involving address
rewriting for TCP/UDP protocols.
NAT and redirection are not allowed for bi-directional TCP/UDP IP
Filter rules with session tracking enabled.
For address rewrite rules with redirection to the source address,
only uni-directional rules are allowed. Furthermore, the destination
address in this type of rule must have a significant bits value of 32
(that is, it must be a single host). This is because the redirect
address must be a single host.

Setting the IP Filter NAT port rewrite range
IP Filter rule basics
When a packet from a source reaches the Sidewinder G2 and matches
an IP Filter rule with NAT configured, the source port and source
address will be rewritten and the packet will then be forwarded to its
destination.
To facilitate this process, the IP Filter reserves a block of 200 ports for
its own use. The OS will never allow a process to bind to a port in
this range. Creating a TCP generic services proxy in this port range
will not work. The default range is set to 38000–38199.
If you need a port in IP Filter's reserved range (perhaps for a generic
proxy), the range can be moved by modifying the Start of Reserved
Ports field in the IP Filter Properties window. See “Viewing and
modifying general IP Filter properties” on page 7-25.
It is possible that an existing TCP proxy connection may be using a
port in the range you specify. In this case the ipfilter command
will fail. You should look at the current port usage by entering the
netstat -a command and adjust the IP Filter port range accordingly.
Specifying the source port in an IP Filter rule
The Sidewinder G2 enables you to specify the source port value to
use in an IP Filter connection. This capability is typically only used
when connecting to an application that requires the source port to be
a specific value. (In some cases the application will require the source
port to be the same value as the port on which the application is
listening.)
This capability is implemented by configuring NAT on the appropriate
IP Filter rule. This "source port" implementation of NAT, however, is
different from a normal implementation of NAT.
Normal—Each connection uses the same IP address but gets its
source port from a pool of ports. When using normal NAT rules,
the total number of connections is dependent on the number of
ports reserved for IP Filter in the IP Filter Properties window.
Understanding Policy Configuration 4-33

IP Filter rule basics
Figure 4-10. Normal NAT
IP Filter rule
implementation
4-34 Understanding Policy Configuration
Source port—Each connection uses the original client source port,
but gets its translated IP address from a pool of IP addresses. (The
pool of IP addresses is derived from whatever IP aliases are
defined for the associated NIC. The total number of connections is
therefore dependent on the number of alias addresses defined for
the NIC.) The pool of addresses is normally a group of alias IP
addresses associated with the destination NIC. The total number of
connections is therefore dependent on the number of IP addresses
specified by the rule.
Figure 4-10 and Figure 4-11 illustrate the differences in the two
implementations.
A
172.27.18.9
internal
network
38000
....
38199
Sidewinder
G2
Possible connections from
workstation A to application B
using a normal NAT IP Filter rule
Internal IP
172.27.18.9
172.27.18.9
172.27.18.9
172.27.18.9
11.80.1.1
pool of available IP
Filter ports
app. B
192.1.1.1 listening
on port 50
Source IP
Source Port Dest IP Dest Port
11.80.1.1 38142 192.1.1.1 50
11.80.1.1 38077 192.1.1.1 50
11.80.1.1 38012 192.1.1.1 50
11.80.1.1 38184 192.1.1.1 50

Figure 4-11. "Source
port" NAT IP Filter rule
implementation
A
172.27.18.9
internal
network
Sidewinder
G2
Possible connections from workstation
A to application B using “source port
NAT IP Filter rule
Internal IP
172.27.18.9:50
172.27.18.9:50
172.27.18.9:50
172.27.18.9:50
IP aliases
11.80.1.4
11.80.1.5
11.80.1.6
11.80.1.7
11.80.1.1
pool of available IP
addresses
IP Filter rule basics
192.1.1.1 listening
on port 50
By specifying one or more IP aliases you can have multiple
connections (each connection uses the same port number but a
different IP address).
Requirements Please note the following requirements when using NAT to specify the
source port of an IP Filter connection.
app. B
Source IP Source Port Dest IP Dest Port
11.80.1.4 50 192.1.1.1 50
11.80.1.5 50 192.1.1.1 50
11.80.1.6 50 192.1.1.1 50
11.80.1.7 50 192.1.1.1 50
This configuration only applies to uni-directional (source ->
destination) TCP/UDP IP Filter rules with stateful inspection
enabled.
Use Source Port when specifying the source port in an IP Filter
connection. See “Creating IP Filter rules” on page 7-12 for more
information.
Understanding Policy Configuration 4-35

IP Filter rule basics
4-36 Understanding Policy Configuration
Sharing IP Filter sessions in an HA cluster
When IP Filter session sharing is configured for an HA cluster, the
primary Sidewinder G2 sends out multicast messages to notify the
secondary/standby Sidewinder G2 of IP Filter session activity (such as
a new session, closed session, or change in session state). Each time a
secondary/standby Sidewinder G2 receives a message, it updates its
local session table accordingly. All sessions received from the primary
Sidewinder G2 will have a status of shared on the secondary/standby
Sidewinder G2.
When HA causes a secondary/standby Sidewinder G2 to take over as
the acting primary, the shared sessions on the acting primary become
available. When a packet is received for a session, it will be validated
against the rules of the acting primary Sidewinder G2. The acting
primary Sidewinder G2 will then begin sending multicast state-change
messages.
Specifying the number of TCP or UDP IP Filter sessions
By default, the Sidewinder G2 allows only 1,000 active TCP and UDP
filter sessions. These limits can be changed by modifying the Max TCP
Sessions or Max UDP Sessions field in the IP Filter General Properties
window. See “About the IP Filter General Properties window” on
page 7-25.

C HAPTER 5
Creating Rule Elements
About this chapter This is a task-oriented chapter that provides instructions for creating
rule elements. Rule elements include users and user groups, network
objects, and service groups. Rule elements allow you to organize
multiple users, objects, or services into useful groups that will save
time and enable you to create fewer rules with greater capabilities.
Creating users
and user groups
Note: For an overview of each rule element, see Chapter 4.
This chapter covers the following topics:
“Creating users and user groups” on page 5-1
“Creating network objects” on page 5-10
“Creating service groups” on page 5-21
A user is a person who uses the networking services provided by the
Sidewinder G2. A user group is a logical grouping of one or more
users, identified by a single name. You can also nest one or more user
groups within a user group.
Note: For basic information on users and user groups, see “Users and user groups” on
page 4-8.
To display the current users and user groups configured for your
Sidewinder G2, using the Admin Console select Policy Configuration ->
Rule Elements -> Users & User Groups. The following window appears.
5
Creating Rule Elements 5-1

5
Creating users and user groups
Figure 5-1. Users and
User Groups window
About the Users and User
Groups window
5-2 Creating Rule Elements
This window displays the users and user groups currently configured
in the user database. In this window you can perform the following
actions:
Note: When you initially install your Sidewinder G2, the only user that will appear is the
user name for the administrator account you defined during installation. There will not be
any user groups defined.
Display users, groups, or both—You can display only users (Users),
only groups (Groups) or both users and groups (All) using the Show
drop-down list.
Filter users and/or groups—You can filter the users and/or groups
that are displayed in the window by typing alphabetic characters
for which you want to filter in the Match field. For example, if you
type br in the Match field, only users and groups whose name
begins with “br” will appear in the list.
Note: The Match field is case sensitive.
Add or modify a user or user group—To add a new user or user group,
see “Configuring users or user groups” on page 5-3. To modify an
existing user or user group, highlight the entry you want to modify
and click Modify.
Tip: You may find it more convenient to create user groups before creating
individual user accounts. That way, as you set up your user accounts, you will be able
to assign them to a group at the same time.

Creating users and user groups
Modify the members of a user group—To modify the members in a
user group, highlight the user group and click Members. See
“Managing user group membership” on page 5-8 for details.
Delete a user or user group—To delete a user or user group, highlight
the entry you want to delete and click Delete. You will be
prompted to confirm this action.
Note: You can select multiple entries by pressing the Shift key while you select
entries. To select several non-consecutive entries, press the Ctrl key as you select the
desired entries.
Configuring users or user groups
To create or modify a user or user group, follow the steps below.
1. Using the Admin Console, select Policy Configuration -> Rule Elements
-> Users & User Groups. The Users and User Groups window appears.
2. In the Show drop-down list, select one of the following options and
then click New:
(To edit a user or user group, highlight the entry you want to modify
and click Modify. You can also double-click the entry.)
All—Select this option to display both users and groups. If you
select this option, when you click New the Create User or Group
Object window appears. See “About the Create New User or Group
Object window” on page 5-4.
Groups—Select this option to display only user groups. If you
select this option, when you click New the New Group Object
window appears. See “Configuring a new group using the New
Group Object window” on page 5-5.
Users—Select this option to display only users. If you select this
option, when you click New the New User Object window appears.
See “Configuring individual user accounts using the New User
Object window” on page 5-6.
Note: To delete an entry, select that entry by clicking on it, and then click Delete.
You are prompted to verify your action—click Yes to delete the entry or click No to
cancel the action.
Creating Rule Elements 5-3

Creating users and user groups
Figure 5-2. Create New
User or Group Object
window
About the Create New User
or Group Object window
5-4 Creating Rule Elements
This window allows you to select whether you want to create a user
or user group.
1. Select one of the following options in the Create field:
New User—Select this option to create a new user.
New Group—Select this option to create a new user group.
2. (New User only) If you want to create a new user account using the
information contained in an existing user account, select the Copy from
existing user option and then select the user account that you want to
copy.
This option will copy the following information fields from the existing
user’s account: Organization, User Fields 1–4, and Group Membership
information. You will still need to enter information for the following
fields: Username, Description, Employee ID, and Password, as these fields
contain information specific to each individual user.
3. Click OK.
If you are creating a new user group, the New Group Object
window appears. See “Configuring a new group using the New
Group Object window” on page 5-5.
If you are creating a new user, the New User Object window
appears. See “Configuring individual user accounts using the New
User Object window” on page 5-6.

About the Group
Information tab
About the Group
Membership Information
tab
Creating users and user groups
Configuring a new group using the New Group Object window
The New Group Object window contains two tabs:
Group Information—This tab is used to define the name of a new
group. Follow the steps below.
Group Membership Information—This is an optional tab that enables
you to make this group a member of one or more other groups
(called a “nested group”). See “About the Group Membership tab”
on page 5-8 for details.
Note: You cannot edit the name of an existing group from this window. To change a
group name you must delete the group, then add it back using the new name.
1. In the Group Name field, type a name for this group. Valid values include
alphanumeric characters, periods (.), dashes(-), and underscores (_), and
spaces ( ). However, the first and last character of the name must be
alphanumeric. The name cannot exceed 100 characters.
2. [Optional] In the Comments field, type any additional information about
the user group.
3. [Optional] If you want to add or remove this group as a member of
another group, click the Group Membership Information tab and follow
the steps below. If not, click OK.
The Group Membership Information tab enables you to make this group
a member of one or more other groups (called a “nested group”).
1. To add the group that is being created (or modified) as a member of
one or more other groups, click on an existing group in the Available
Groups list to select it, and then click the ==>> button.
Note: You can move multiple groups simultaneously by pressing the Shift key as
you select groups. To select multiple groups, press the Ctrl key and then clicking the
desired entries.
2. To remove the group from one or more groups, select the group in the
Member of Groups list to select it, and then click the

Creating users and user groups
Figure 5-3. User
Information window
About the User Information
tab
5-6 Creating Rule Elements
Configuring individual user accounts using the New User Object
window
The New User Object window contains three tabs:
Tip: You may find it more convenient to create user groups before creating individual
user accounts. That way, as you set up your user accounts you will be able to assign them
to a group at the same time.
When you create a new user account or modify an existing user
account, the User Information window appears. This window contains
three tabs that are used to enter information about a user.
The User Information tab is used to enter descriptive information
about a user. Follow the steps below.
1. In the Username field, type the name the user will enter when he or she
requests a connection that requires authentication. This entry can
consist of up to 16 alphanumeric characters (upper or lower case) but
must start with an alphabetic character. Apostrophes are not allowed
(for example, O’Hare).
2. [Optional] In the Description field, type any information about the user
that may be helpful.
3. [Optional] In the Employee ID field, type an employee ID number, if
applicable.

About the User Password
tab
Creating users and user groups
4. [Optional] In the Organization field, type the organization that the user
is associated with, if applicable.
5. [Optional] In the four User Fields, enter any additional information that
your organization requires. For example, if you will be generating
chargeback reports for authenticated FTP, Telnet, or Web connections,
you might enter account numbers in these fields.
Note: You cannot modify the field names.
6. Select the User Password tab and see “About the User Password tab”
below to define password information for this user.
The User Password tab is used to enter password information for a
user. Follow the steps below.
1. In the Password area, select how the user’s password will be displayed:
Clear Text—This option displays the actual password in the text
box as the user types it in the field.
Encrypted—This option displays the encrypted version of the clear
text password you have entered. (The encrypted version is used for
display purposes only.)
2. Create the user’s password using one of the following methods:
Manually select—If you want to manually create a password that
the user must type when requesting a connection that requires
authentication, click in the text box and type a password. The
password must not exceed 64 characters.
Generate Password—If you want the Sidewinder G2 to
automatically create a password, click Generate Password. This will
be the password the user must type when he or she requests a
connection that requires authentication.
3. If you want the user’s password to expire so they are required to change
it, do the following:
a. Click Expire Password. A confirmation window appears.
b. Click Yes. The Expire Password button changes to a Reinstate
Password button.
c. Click OK and then click the Save icon to save your changes. If the
user’s password is expired, the password will appear in the Password
field with the word EXPIRED prepended to the password.
Note: If you need to re-instate a user’s expired password, click Reinstate Password,
click OK, and then click the Save icon in the toolbar.
Creating Rule Elements 5-7

Creating users and user groups
About the Group
Membership tab
5-8 Creating Rule Elements
4. To delete a user’s password account from the database, click Discard
Password Info. For example, this can be used if you are changing a user’s
authentication method from password to SafeWord and need to
remove the previous password information.
5. Select the Group Membership tab and see “About the Group
Membership tab” below to define group information for this user.
The Group Membership tab is used to assign the user to one or more
existing groups. (For information on setting up a user group, see
“Configuring users or user groups” on page 5-3.)
1. To add the user to a group, select a group in the Available Groups list
and then click the ==>> button.
2. To remove the user from a group, click on a group in the Group
Membership list and then click the Users & User Groups. The Group Information window appears.
2. In the Show drop-down list, select Groups.
3. Highlight a group name to select it, and then click the Members button
in the lower portion of the window. The User Group Membership
window appears.

Figure 5-4. User Group
Membership window
About the User Group
Membership window
Creating users and user groups
This window displays the users and groups that are members of the
selected group. You can perform the following actions from this
window:
Select a group to modify—In the Group Name drop-down list, select
the group for which you want to add or remove members.
Determine which users and groups are displayed—To display only
users, only groups, or both users and groups (all), select the
appropriate item from either Show drop-down list. To further filter
the list, in the Match field enter alphabetic characters for which you
want to filter. For example, if you type br in the text box, only
entries that begin with “br” appear in the list.
Note: The Match field is case sensitive.
Add or remove users as members of the selected group—To add a user
or group to this group, select an entry in the Available Users and
Groups list and then click the ==>> button. To remove a user from
this group, select a user in the Current Group Members list and then
click the

Creating network objects
Creating network
objects
Figure 5-5. Network
Objects window
About the Network Objects
window
5-10 Creating Rule Elements
A network object can be an IP address, a host, a network domain, a
netmap, a subnet, or netgroup. When you create rules to allow or
deny a connection to or through the Sidewinder G2, you must specify
a network object as the source or destination of the connection. The
following sections provide information on creating each type of
network object. For basic information on network objects, see
“Network objects” on page 4-9.
Displaying network objects and netgroups
To display the network objects and groups currently set up in the
Sidewinder G2, using the Admin Console, select
Policy Configuration -> Rule Elements -> Network Objects. The following
window appears.
This window lists the network objects currently configured on the
Sidewinder G2. You can perform the following actions in this
window:
Filter the list of network objects—To modify the list that is displayed,
select an object type from the Filter drop-down list. The list will
then display only network objects of that type.
Configure a new network object—To configure a new object, click
New. The New Network Object window appears. See “About the
New Network Object window” on page 5-12.

Figure 5-6. New Network
Object window
Creating network objects
Modify an existing network object—To modify an existing network
object, highlight the appropriate item within the list and click
Modify. For information on modifying specific fields, refer to the
following sub-sections.
Delete an existing network object—To delete a network object,
highlight the item you want to delete in the list and then click
Delete.
Add or remove a network object from a netgroup—To add or remove a
network object from one or more netgroups, highlight the
netgroup and click the Groups Object In button in the lower portion
of the window. See “Managing the groups to which a network
object belongs” on page 5-20.
View the areas that are currently using a particular network object—To
view the areas (netgroup, netmap, proxy rule) that are currently
using a particular network object, highlight the network object and
click the Object Usage button in the lower portion of the window.
Click Close to exit the Object Usage window.
Note: You cannot modify the information in the Object Usage window.
Creating Rule Elements 5-11

Creating network objects
About the New Network
Object window
Figure 5-7. Network
Objects: Domain window
5-12 Creating Rule Elements
In the Type drop-down list, select the type of object you want to
create. The following options are available:
Note: The fields that appear will vary depending on the type of object you select.
Domain—For information on configuring a domain object, see
“Configuring domain objects” on page 5-12.
Host—For information on configuring a host object, see
“Configuring host objects” on page 5-13.
IP Address—For information on configuring an IP address object,
see “Configuring IP address objects” on page 5-15.
Netmap—For information on configuring a netmap object, see
“Configuring netmaps” on page 5-16.
Subnet—For information on configuring a subnet object, see
“Configuring subnet objects” on page 5-17.
Netgroup—For information on configuring a netgroup object, see
“Configuring netgroup object” on page 5-18.
Configuring domain objects
When you add a new domain using the Admin Console, the following
window appears.

Entering domain
information
Figure 5-8. Host network
object window
Creating network objects
This window is used to define information about a domain. Each
domain you define becomes a network object that can be used in a
rule. Follow the steps below.
1. In the Name field, type a name for this domain object (for example,
“bizco”). (This field cannot be edited if you are modifying an existing
domain.) Valid values include alphanumeric characters, periods (.),
dashes(-), and underscores (_), and spaces ( ). However, the first and last
character of the name must be alphanumeric. The name cannot exceed
100 characters.
2. [Optional] In the Description field, enter any useful information for this
domain object.
3. In the Domain field, enter the domain to use for this object (for example,
“bizco.net”).
4. Click Add to add the domain object. (If you are modifying an existing
domain object, click OK.)
Configuring host objects
When you add a new host, a window similar to the following appears:
Creating Rule Elements 5-13

Creating network objects
Entering host information This window is used to define information about a host. Each host
you define becomes a network object that can be used in a rule.
5-14 Creating Rule Elements
1. In the Name field, type a name of the host. (This field cannot be edited if
you are modifying an existing host.) Valid values include alphanumeric
characters, periods (.), dashes(-), and underscores (_), and spaces ( ).
However, the first and last character of the name must be alphanumeric.
The name cannot exceed 100 characters.
2. [Optional] In the Description field, enter any useful information about
this host.
3. In the Host field, enter the hostname for this host object (for example,
mail.bizco.net).
4. In the DNS drop-down list, determine whether this host will use DNS:
DNS—Select this option to perform normal DNS look-ups.
No DNS—Select this option if you do not want to perform DNS
lookups for this host.
5. If you selected DNS in the previous step, and you need to override the
DNS time-to-live value, do the following:
Note: Overriding the default DNS time-to-live value is not recommended.
a. Select the Override TTL check box.
b. Specify a time value in the first text field.
c. Specify the appropriate time increment in the drop-down list.
For example, if you wanted the DNS time-to-live value to be 30 minutes
you would type 30 in the text field and select minutes from the dropdown
list.
6. To configure the IP address list for a host, do one of the following:
To add a new IP address, click New and refer to “Managing host IP
addresses” on page 5-14.
To modify an existing IP address, highlight the IP address and click
Modify and refer to “Managing host IP addresses” on page 5-14.
To delete an IP address, highlight an entry and click Delete.
7. Click Add to add the host information. (If you are modifying an existing
host object, click OK.)
Managing host IP addresses The IP Addresses window allows you to add an IP address for this
host. When you add IP addresses, if the host name is not known to
DNS, it can be identified here. To assign a new IP address to this host
or modify an existing IP address, follow the steps below.

Figure 5-9. IP Address
network object window
Entering IP address
information
Creating network objects
1. In the Host IP Address field, type the host IP address associated with that
host. The IP address must be entered using standard dotted quad
notation (for example, 1.2.3.4).
2. Click Add, and then click Close.
Note: A host IP address should only be specified if it cannot be derived dynamically
from DNS.
Configuring IP address objects
When you add a new IP address, a window similar to the following
appears.
This window is used to define information about an IP address. Each
IP address you define becomes a network object that can be used in a
rule. Follow the steps below.
1. In the Name field, enter a name for this object. (This field cannot be
edited if you are modifying an existing IP address.) Valid values include
alphanumeric characters, periods (.), dashes(-), and underscores (_), and
spaces ( ). However, the first and last character of the name must be
alphanumeric. The name cannot exceed 100 characters.
2. [Optional] In the Description field, enter any useful information about
this IP address object.
3. In the IP Address field, type the value of the IP address.
Creating Rule Elements 5-15

Creating network objects
Figure 5-10. Network
Object: Netmap window
Creating/modifying a
netmap entry
5-16 Creating Rule Elements
4. Click Add to add the IP address information. (If you are modifying an
existing IP address object, click OK.)
Configuring netmaps
Netmap objects allow you to map multiple IP addresses and subnets
to alternate addresses without creating numerous rules. A netmap
consists of one or more netmap members. A netmap member is any
IP address or subnet that you add to a particular netmap. Each
member in the netmap is mapped to an alternate address that you
specify. For more information about netmaps, see “Rule elements” on
page 4-6.
To create a netmap, in the New Network Object window, select
netmap. A window similar to the following appears.
This window is used to create or modify a netmap. Each netmap you
define becomes a network object that can be used in a rule. Follow
the steps below.
1. In the Name field, type the name of the new netmap. (This field cannot
be edited if you are modifying an existing netmap.) Valid values include
alphanumeric characters, periods (.), dashes(-), and underscores (_).
However, the first and last character of the name must be alphanumeric.
The name cannot exceed 100 characters.
2. In the Description field, enter any useful information for this netmap.

About the Netmap
Members window
Creating network objects
3. To create a new netmap member, click New. The Netmap Members
window appears.
Once you add netmap members, you can sort them in the table by
clicking on the column name that you want to sort. For example, if you
want to sort the table by type, click the Type column heading. All of the
entries in the table will be sorted by type and will appear in
alphanumeric order. If you click the heading a second time, the table
will be sorted by type in the reverse alphanumeric order.
4. Click Add to add the netmap information. (If you are modifying an
existing netmap, click OK.)
The Netmap Members window allows you to map an IP address or
subnet address to an alternate address within a netmap. Follow the
steps below.
1. In the drop-down list that appears, select one of the following:
IP Address—Select this option if you want to map an internal IP
address to be translated to a different IP address.
Subnet—Select this option if you want to map a subnet address to
be translated to a different subnet address.
2. In the Original list, select the IP address or subnet that you want to map
to a different address.
3. In the Mapped list, select the IP address to which the original IP address
or subnet (that you selected in the previous step) will be mapped.
4. Click Add.
Configuring subnet objects
When you add a subnet, the following window appears.
Creating Rule Elements 5-17

Creating network objects
Figure 5-11. Subnet
network object window
Entering subnet
information
5-18 Creating Rule Elements
This window is used to define information about a subnet. Each
subnet you define becomes a network object that can be used in a
rule.
1. In the Name field, type a name for this object. (This field cannot be
edited if you are modifying an existing subnet.) Valid values include
alphanumeric characters, periods (.), dashes(-), and underscores (_), and
spaces ( ). However, the first and last character of the name must be
alphanumeric. The name cannot exceed 100 characters.
2. In the Description field, type any useful information about the object.
3. In the Subnet field, enter the following information:
In the Subnet text field, type the subnet address. You must enter a
valid IP address containing four distinct fields separated by periods
(for example, 1.2.3.4).
In the numeric text box following the subnet field, enter the
number of significant bits for the subnet address. You must enter
an integer value in the range 0–32. For example, if you enter 16,
only the first 16 bits of the address are important.
4. Click Add to add the subnet object. (If you are modifying an existing
subnet, click OK.)
Configuring netgroup object
Tip: You may find it more convenient to create all of your network objects before defining
your netgroup objects. That way, as you set up your netgroup objects, you will be able to
immediately assign the desired network objects to the group.

Figure 5-12. Network
Object: netgroup
window
Entering netgroup
information
Creating network objects
When you add a new netgroup object, the following window appears.
This window is used to define information about a netgroup. Each
group you define becomes a network object that can be used in a
rule. Follow the steps below.
1. In the Name field, type the name of the new netgroup. The name will be
used by rules to identify the netgroup when you set up Sidewinder G2
connections. (This field cannot be edited if you are modifying an
existing group.) Valid values include alphanumeric characters, periods
(.), dashes(-), and underscores (_), and spaces ( ). However, the first and
last character of the name must be alphanumeric. The name cannot
exceed 100 characters.
2. [Optional] In the Description field, enter any useful information about
this group.
3. To add a member to this netgroup, highlight the member in the
Available Members list that you want to add, and then click the ==>>
button to move it to the Chosen Members list. To remove a network
object from this netgroup, highlight the object in the Chosen Members
list, and then click the

Creating network objects
Figure 5-13. Group
Membership window
About the Group
Membership window
5-20 Creating Rule Elements
4. Click Add to add the netgroup. (If you are modifying an existing
netgroup, click OK.)
Managing netgroup membership
You can manage netgroup membership in two ways:
To configure the members of a particular group, select Netgroup in
the Network Object window drop-down list, and highlight the
group you want to configure. Then click Modify and refer to
“Configuring netgroup object” on page 5-18 for detailed
instructions.
To configure the groups for which a particular network object is a
member, see “Managing the groups to which a network object
belongs” on page 5-20.
Managing the groups to which a network object belongs
To determine which groups a network object belongs to, select the
network object you want to configure in the Network Objects
window, and then click Groups Object In. The Group Membership
window appears.
This window allows you to configure the groups to which a particular
network object belongs. The Available list displays all the available
groups. The Selected list displays the groups to which the object
currently belongs. To add/remove the network object to/from a
particular group, do the following:
To add this network object to another group, select the group in
the Available list and then click the ==>> button to move the group
to the Selected list.

Creating service
groups
Figure 5-14. Service
Groups window
About the Service Groups
window
Creating service groups
To delete a network object from a group, select the group in the
Selected list and then click the Service Groups. The
following window appears:
This window allows you to view information for individual service
groups. The Service Group Name list contains all currently defined
service groups.
To view information for a particular service group, highlight the
service group and the information will appear in the right-hand
portion of the window. To add a new service group, follow the steps
below.
Creating Rule Elements 5-21

Creating service groups
5-22 Creating Rule Elements
1. To create a new service group, click New. The New Service Group
window appears. (To modify a service group, highlight the service
group name in the Service Group Name list and proceed to step 3.)
Note: To delete a service group, highlight the service group and click Delete.
2. Type a name for the service group in the New Service Group field and
click Add. The service group is added to the list of service groups in the
main Service Group window. Valid values include alphanumeric
characters, periods (.), dashes(-), and underscores (_), and spaces ( ).
However, the first and last character of the name must be alphanumeric.
The name cannot exceed 100 characters.
3. Determine which proxies you want to assign to the selected service
group. The proxies currently assigned to the selected service group are
listed in the Selected Proxies list. The proxies that are available on the
Sidewinder G2 are listed in the Available Proxies list.
To add a proxy to the Selected Proxies list, click on a proxy name in
the Available Proxies list, and then click the ==>> button.
To remove a proxy from the Selected Proxies list, click on a proxy
name, and then click the button.
To remove a server from the Selected Servers list, click on a server
name, and then click the

C HAPTER 6
Configuring Application
Defenses
About this chapter This is a task-oriented chapter that provides instructions for creating
Application Defenses. For an overview of Application Defenses and
how they are used in rules, see Chapter 4.
Viewing
Application
Defense
information
This chapter covers the following topics:
“Viewing Application Defense information” on page 6-1
“Creating Web or Secure Web Application Defenses” on page 6-4
“Creating Web Cache Application Defenses” on page 6-19
“Creating Mail Application Defenses” on page 6-21
“Creating Citrix Application Defenses” on page 6-31
“Creating FTP Application Defenses” on page 6-33
“Creating IIOP Application Defenses” on page 6-34
“Creating Multimedia Application Defenses” on page 6-36
“Creating Oracle Application Defenses” on page 6-38
“Creating SOCKS Application Defenses” on page 6-41
“Creating SNMP Application Defenses” on page 6-42
“Creating Standard Application Defenses” on page 6-45
“Configuring Application Defense groups” on page 6-46
“Configuring connection properties” on page 6-48
To view the Application Defenses windows, in the Admin Console
select Policy Configuration -> Application Defenses -> Defenses and then
select the type of Application Defense you want to view from the tree.
A window similar to the following appears.
6
Configuring Application Defenses 6-1

6
Viewing Application Defense information
Figure 6-1. Application
Defenses window (Web)
6-2 Configuring Application Defenses
Overview of the Application Defense windows
The top portion of each Application Defense window consists of a
table that lists all of the Application Defenses (by row) that are
currently configured for a particular category. The table columns
display the individual attributes for the defenses. Basic default
defenses (such as Default and Deny All) are pre-configured for each
category of Application Defense.
Note: The Application Defenses that are displayed in the table will vary depending on the
defense category you select from the tree.
You can perform the following actions in any of the Application
Defense windows:
Create/modify/delete an Application Defense—To create a new
Application Defense, click New in the upper portion of the
window. To create a new Application Defense based on an
existing defense, select the defense that you want to duplicate, and
then click Duplicate. You can then modify the defense as needed to
suit your needs. See “About the New/Duplicate Application
Defense window” on page 6-4.
To modify an existing Application Defense, select the defense that
you want to modify from the table. The configuration information
is displayed in the bottom portion of the window. To modify the
Application Defense in a pop-up window format, click Modify.

Viewing Application Defense information
For information on configuring a specific Application Defense, see
the following:
— Web/Secure Web (page 6-4)
— Web Cache (page 6-19)
— Mail (page 6-21)
— Citrix (page 6-31)
— FTP (page 6-33)
— IIOP (page 6-34)
— Multimedia (page 6-35)
— Oracle (page 6-38)
— SOCKS (page 6-41)
— SNMP (page 6-42)
— Standard (page 6-45)
Note: For information on configuring Application Defense groups, see “Configuring
Application Defense groups” on page 6-46.
To delete an Application Defense, select the Application Defense
that you want to delete, and click Delete. You will be prompted to
confirm your decision.
Note: You cannot delete an Application Defense if it is being used in a proxy rule. If
the Application Defense is used in a rule, a pop-up window will appear informing you
which rules are currently using this defense. Before you can delete the defense, you
will need to modify each of the rules to remove the specified defense from those rules.
View the rules in which an Application Defense/Group is currently used—
To view the rules or rule groups that currently use a particular
Application Defense (or group), highlight the appropriate defense
(or group) and click Usage. A pop-up window appears listing the
rule names that are currently using the specified defense. Click
Close when you are finished viewing the rule list.
The bottom portion of each window (or pop-up, if you clicked
Modify) displays the actual configuration information for the selected
Application Defense. The information will vary depending on the
Application Defense category you select. The following fields remain
constant among all Application Defense windows:
Configuring Application Defenses 6-3

Creating Web or Secure Web Application Defenses
Creating Web or
Secure Web
Application
Defenses
6-4 Configuring Application Defenses
Name—This field contains the name of the Application Defense
that you are viewing. This field cannot be modified. If you need to
rename an Application Defense, you can create a duplicate
defense with the desired name, and then delete the existing
Application Defense.
[Web/Secure Web only] Type—This field allows you to specify
whether a defense will be used to protect a server, client, or both.
For more information about the Type field, see “Creating Web or
Secure Web Application Defenses” on page 6-4.
Description—This field allows you to provide information about the
Application Defense to help you more easily identify it.
About the New/Duplicate Application Defense window
When you click New or Duplicate in the Application Defense window,
the New/Duplicate Application Defense window appears. This
window allows you to specify a name for the Application Defense. If
you are creating a Web or Secure Web Application Defense, the “type”
of Web filtering this Application Defense will protect against is also
listed. You cannot modify the Type field when creating a duplicate
defense. Click OK.
When you click OK, the Application Defense is added to the table and
the properties for that defense are displayed in the lower portion of
the window. To configure the new Application Defense, either use the
lower portion of the window, or click Modify to configure the
properties within a pop-up window. The remaining sections in this
chapter provide information for configuring each Application Defense
category.
The Web/Secure Web Application Defenses allow you to configure
advanced parameters for Web (HTTP) or Secure Web (HTTPS and
SSO) proxy rules. To create Web or Secure Web Application Defenses,
in the Admin Console select Policy Configuration -> Application Defenses
-> Defenses and then select Web or Secure Web respectively. One of the
following windows appears. (Figure 6-2 displays only the bottom
portion of the windows.)

Figure 6-2. Application
Defense: Web and Secure
Web
Creating Web or Secure Web Application Defenses
Web Secure Web
Configuring the Web/Secure Web Enforcements tab
The Enforcements tab allows you to select the feature enforcement
tabs that you want to make available for configuration. If you are
configuring a Secure Web Application Defense, you can also
configure SSL decryption properties in the Enforcements tab.
In the Type field, you can specify whether this defense will be used to
protect a server, client, or both, as follows.
Combined—[Web only] This option allows you to create an
Application Defense that can protect both a Web client (outbound)
and a Web server (inbound) behind the Sidewinder G2. When you
select this option, all of the configuration options for this defense
will appear. However, some of the options that you configure will
only apply to the client or server. (For example, HTTP Request
properties do not apply to the client. Therefore, if you select
Combined, HTTP Request properties that you configure will only
apply to the server.)
Client—This option allows you to create an Application Defense
that protects a client behind the Sidewinder G2. Options that do
not apply for client protection (such as HTTP Requests) will not be
available for configuration.
Server—This option allows you to create an Application Defense
that protects a server behind the Sidewinder G2. Options that do
not apply for server protection (such as Content Control options
other than SOAP) will not be available for configuration.
Configuring Application Defenses 6-5

Creating Web or Secure Web Application Defenses
6-6 Configuring Application Defenses
Enabling Web/Secure Web configuration tabs
To enable (or disable) feature enforcement tabs for Web/Secure Web,
you must first select the appropriate check box in the Enforcements
tab. When you select the check box for a feature, that tab becomes
enabled.
Note: The Connection tab does not need to be enabled before you can configure it.
The following tabs can be enabled:
Note: If you are configuring a Secure Web defense, you will need to select the Decrypt
Web Traffic check box before you can enable tabs. See “Configuring SSL decryption
properties [Secure Web server only]” on page 6-7.
— URL Control—The URL Control tab allows you to configure
filtering on the URL contained in the HTTP request. To enable
URL filtering, select this check box. To configure URL filtering
properties, select the URL Control tab and see “Configuring the
Web/Secure Web URL Control tab” on page 6-8.
— HTTP Request—The HTTP Request tab allows you to configure
header filtering on HTTP requests. To enable HTTP header
filtering for HTTP requests, select this check box. To configure
HTTP header request properties, select the HTTP Request tab
and see “Configuring the Web/Secure Web HTTP Request tab”
on page 6-10.
— HTTP Reply—The HTTP Reply tab allows you to configure
header filtering on HTTP replies. To enable HTTP header
filtering for HTTP replies, select this check box. To configure
HTTP header reply properties, select the HTTP Reply tab and
see “Configuring Web/Secure Web HTTP Reply tab” on page
6-11.
— MIME/Virus—The MIME/Virus tab allows you to configure
MIME (Multi-Purpose Internet Mail Extensions) and anti-virus
filtering, virus signature scanning, and infected file handling.
To enable filtering for MIME/virus, select this check box. To
configure MIME/virus properties, select the MIME/Virus tab
and see “Configuring the Web/Secure Web MIME/Virus tab” on
page 6-13.

Creating Web or Secure Web Application Defenses
— Content Control—The Content Control tab allows you to
configure filtering for Web content types including Active X,
Java, scripting languages, and SOAP. (For Secure Web, you can
only configure SOAP filtering.) To enable content filtering,
select this check box. To configure content control properties,
select the Content Control tab and see “Configuring the Web/
Secure Web Content Control tab” on page 6-17.
Configuring SSL decryption properties [Secure Web server only]
The Sidewinder G2 enables you to perform SSL decryption services at
the firewall level on a per rule basis, increasing the security of your
data transactions. You can also use SSL decryption to allow clientless
VPN connections for trusted remote users to provide secure access to
the internal network. (For information on configuring clientless VPN
services, see “Setting up clientless VPN access for trusted remote
users” on page 12-8.) To utilize SSL decryption services on Sidewinder
G2, you must have SSL Decryption and Strong Cryptography licensed on
your Sidewinder G2. For licensing information, see “Activating the
Sidewinder G2 license” on page 3-19.
Tip: To increase performance, you can also utilize a supported hardware accelerator
board (such as Cavium) on your Sidewinder G2.
Note: If you want to utilize SSL decryption using a hardware accelerator on your
Sidewinder G2 and you do not currently have a supported hardware accelerator board
installed on your Sidewinder G2, contact Secure Computing Customer Service for
assistance.
To configure decryption properties for a Secure Web Application
Defense, follow the steps below.
Note: Proxy rules that use Secure Web Application Defenses with the Decrypt Web
Traffic option enabled must have redirection configured.
1. To enable SSL decryption for an Application Defense, select the Decrypt
Web Traffic check box.
2. [Conditional] If you are configuring a Secure Web defense to allow
clientless VPN sessions to access a Microsoft Exchange® Server, select
the Rewrite Microsoft OWA HTTP check box. For details on configuring
the Sidewinder G2 to allow clientless VPN connections for trusted
remote users, see “Setting up clientless VPN access for trusted remote
users” on page 12-8.
Configuring Application Defenses 6-7

Creating Web or Secure Web Application Defenses
Figure 6-3. Web/Secure
Web: URL Control tab
6-8 Configuring Application Defenses
3. Select the appropriate firewall certificate from the Firewall Certificate
drop-down list. This is the certificate that is used to authenticate the
Sidewinder G2 to the remote HTTPS/SSL client. For information on
configuring firewall certificates, see “Configuring Certificate
Management” on page 13-27.
4. Specify the SSL/TLS versions that will be accepted for secure Web
connections. The following options are available:
SSL2—When this check box is selected, the SSL version 2 protocol
will be accepted.
SSL3—When this check box is selected, the SSL version 3 protocol
will be accepted.
TLS1—When this check box is selected, the TLS version 1 protocol
will be accepted.
Note: SSL2 is not recommended. It is only provided to allow compatibility with older
Web browsers/SSL applications. Diffe-Hellman Key Exchange is not supported for
SSL2. You must deselect SSL2 to enable the Require Diffe-Hellman Key Exchange
field.
5. Select the minimum level of cryptography from the Minimum Crypto
Level Strength drop-down list.
Configuring the Web/Secure Web URL Control tab
To configure URL control properties for a Web/Secure Web defense,
click the URL Control tab.
About the URL Control tab The URL Control tab allows you to configure URL properties, such as
which HTTP operations will be allowed and which URLs will be
explicitly denied. Follow the steps below.

Creating Web or Secure Web Application Defenses
Note: The fields in this tab will be disabled unless you select the URL Control check box
on the Enforcements tab.
1. In the Allow Selected HTTP Commands area, select the commands
(operations) that you want to allow users to issue by clicking in the
corresponding check box(es).
To select all of the commands, click Select All. To deselect all of the
commands, click Deselect All. A description of each command is
provided within the window.
2. To disallow special characters in a query, select the Enforce Strict URLs
check box. If you select this option, URLs with certain special characters
will be disallowed under certain circumstances (such as RFC violation).
For example: quote (“), single quote (‘), back quote (`),
brackets ( [ ], { }, < >), pipe (|), back slash (\), karat (^), and tilde (~).
3. To allow international multi-byte characters in a query, select the Allow
Unicode check box.
4. [Server or Combined only] In the Maximum URL Length field, specify the
maximum length allowed for a URL. The default value is 1024
characters. Valid values are 1–10000.
5. To require that the HTTP version be included in all requests, select the
Require HTTP Version in Request check box.
6. [Conditional] If you selected Require HTTP Version in Request in the
previous step, specify the HTTP versions that you want to allow in the
Allow Selected HTTP Versions area. Valid versions are 1.0 and 1.1.
7. In the Deny Specified URL Matches table, you can specify which URLs to
explicitly deny. The table lists any URLs that are currently denied.
To add a URL to the list, click New. To modify a URL in the list, highlight
the click Modify. The Edit URL Parsing Values window appears. See
“Configuring the Edit URL Parsing Values window” on page 6-9 for
information on adding a URL.
Configuring the Edit URL Parsing Values window
This window allows you to create a URL value to add to the Deny
Specified URL Matches table. Follow the steps below.
1. In the String field, type the URL string that you want to deny. For
example: www.do-not-go-here.com
Configuring Application Defenses 6-9

Creating Web or Secure Web Application Defenses
Figure 6-4. Web/Secure
Web: HTTP Request tab
About the HTTP Request
tab
6-10 Configuring Application Defenses
2. In the Match Parameter area, select the portion of the URL that will be
filtered:
Host—Select this option to filter on the URL host
(http://hostname/path).
Path—Select this option to filter on the URL path
(http://hostname/path).
All—Select this option to filter on the entire request
(http://hostname/path).
Configuring the Web/Secure Web HTTP Request tab
To configure HTTP Request properties for a Web/Secure Web defense,
click the HTTP Request tab. The following window appears.
The HTTP Request tab allows you to configure header filtering for
HTTP requests. This tab is only available if you selected Server or
Combined in the Type field. Follow the steps below.
Note: The fields in this tab will be disabled unless you select the HTTP Request check box
on the Enforcements tab.
1. Select the type of HTTP header filtering you want to allow or deny in the
Selected HTTP Request Header Filter Types area. The following options
are available:
Note: The X-* filter type is a wildcard filter that will allow or deny all X-xxx request
headers (commonly found in user-defined headers). If you create an Allow list and do
not include the X-* filter type, most Web traffic will be denied.
None—Select this option if you want to deselect all HTTP request
header filter types in the list. (You can also deselect all of the types
by clicking Deselect All.)

Figure 6-5. Web/Secure
Web: HTTP Reply tab
Creating Web or Secure Web Application Defenses
Standard—Select this option if you want to automatically select all
of the header types contained in the list. (You can also select all
header types by clicking Select All.)
Paranoid—Select this option if you want to exclude all options not
defined in the RFC.
Custom—Select this option if you want to manually configure
which HTTP header types you will allow or deny.
2. In the Filter Option field, determine whether you want to allow or deny
the header types you select, as follows:
Allow—Select this option to allow all header types that are
selected in the HTTP Request Header Filter Types window. All other
types will be denied.
Deny—Select this option to deny all header types that are selected
selected in the HTTP Request Header Filter Types window. All other
types will be allowed.
3. In the Denied Header Action area, select one of the following options:
Block Entire Page—Select this option to block the entire page
when an HTTP header is denied.
Allow Page Through Without Denied Headers—Select this option
to mask the denied HTTP header, but still allow the page to be
viewed. (A denied HTTP header will be overwritten with X’s.)
Configuring Web/Secure Web HTTP Reply tab
To configure HTTP Reply properties for a Web/Secure Web defense,
click the HTTP Reply tab. The following window appears.
Configuring Application Defenses 6-11

Creating Web or Secure Web Application Defenses
About the HTTP Reply tab The HTTP Reply tab allows you to configure header filtering for HTTP
replies. Follow the steps below.
6-12 Configuring Application Defenses
Note: The fields in this tab will be disabled unless you select the HTTP Reply check box on
the Enforcements tab. Also, this tab is not available for Secure Web if you select Client in
the Type field.
1. In the Filter Option field, determine whether you want to allow or deny
the header types you select, as follows:
Allow—Select this option to allow all header types that are
selected in the HTTP Reply Header Filter Types window. All other
types will be denied.
Deny—Select this option to deny all header types that are selected
selected in the HTTP Reply Header Filter Types window. All other
types will be allowed.
2. Select the type of HTTP header filtering you want to allow or deny in the
Selected HTTP Reply Header Filter Types area. The following options are
available:
Note: The X-* filter type is a wildcard filter that will allow or deny all X-xxx reply
headers (commonly found in user-defined headers). If you create an Allow list and do
not include the X-* filter type, most Web traffic will be denied.
None—Select this option if you want to deselect all HTTP reply
header filter types in the list. (You can also deselect all of the types
by clicking Deselect All.)
Standard—Select this option if you want to automatically select all
of the header types contained in the list. (You can also select all
header types by clicking Select All.)
Paranoid—Select this option if you want to exclude all options not
defined in the RFC.
Custom—Select this option if you want to manually configure
which HTTP reply header types you will allow or deny.
3. In the Denied Header Action area, select one of the following options:
Block Entire Page—Select this option to block the entire page
when an HTTP reply header is denied.
Allow Page Through Without Denied Headers—Select this option
to mask the denied HTTP reply header, but still allow the page to
be viewed. (A denied HTTP reply header will be scrubbed.)

Figure 6-6. Web/Secure
Web: MIME/Virus tab
Creating Web or Secure Web Application Defenses
Configuring the Web/Secure Web MIME/Virus tab
To configure MIME/anti-virus properties for a Web/Secure Web
defense, click the MIME/Virus tab. The following window appears.
About the MIME/Virus tab The MIME/Virus tab allows you to configure filtering for
MIME and anti-virus scanning services. The tab contains a rule table
that displays any MIME/Anti-Virus filtering rules that have been
created. The tab also contains various virus scanning and handling
configuration options.
Note: Virus scanning is performed on data sent from the client if the request method is
either PUT or POST, and the appropriate file type is specified for scanning in the MIME
filtering rules table.
Note: MIME/Virus scanning services are not available for Web defenses if you select
Server in the Type field. They are not available for Secure Web if you select Client in the
Type field. The fields in this tab will be disabled unless you select the MIME/Virus check
box on the Enforcements tab.
To configure MIME/Virus properties for an Application Defense,
follow the steps below.
Important: You must license and configure scanning services before the MIME/Anti-
Virus filter rules you create will scan HTTP/HTTPS traffic. See “Configuring scanning
services” on page 3-34.
1. In the Type of Scanning area, you can configure virus scanning for
known and/or unknown viruses, as follows:
Security Alert: If you want to perform virus scanning, you must create the
appropriate virus scan rules in the MIME/Anti-Virus Filtering Rules table. Rules that
are configured only to allow or deny traffic based on rule criteria will not perform
virus scanning. (See step 2 for information on configuring MIME/Anti-virus filter
rules.)
Configuring Application Defenses 6-13

Creating Web or Secure Web Application Defenses
6-14 Configuring Application Defenses
If you select Scan for Known Viruses only, traffic that matches a rule
requiring virus scanning will be scanned for viruses with known
signatures.
If you select Scan for Unknown Viruses only, traffic that matches a
rule requiring virus scanning will be scanned only for unknown
signatures using heuristic methods.
If you select both Scan for Known Viruses and Scan for Unknown
Viruses, traffic that matches a rule requiring virus scanning will be
scanned for both known and unknown virus signatures.
Note: If you do not select at least one scanning option and you have filter rules
configured that require virus scanning, traffic that matches those rules will NOT be
scanned for known virus signatures.
2. Configure the appropriate MIME/Anti-Virus filter rules in the MIME/Anti-
Virus Filter Rules table, as follows:
Create a new filter rule—To create a new filter rule, click New and
see “Configuring MIME filtering rules” on page 6-15.
Modify an existing filter rule—To modify an existing filter rule,
select the rule you want to modify, and click Modify. See
“Configuring MIME filtering rules” on page 6-15. (If you are
modifying the default MIME filtering rule, see “Configuring the
Default filtering rule action” on page 6-17.)
Delete a filter rule—To delete an existing filter rule, select the rule
you want to delete and click Delete. You will be prompted to
confirm your decision.
3. To configure file handling for infected files in the Infected File Handling
area, do the following:
a. Determine how infected files will be handled.
To discard infected files, select Discard.
To remove the virus from the file and then continue processing the
file, select Repair.
b. To quarantine infected files for later viewing, select Quarantine Files.
If you select this option, the files will be quarantined in:
/var/log/vscan/quarantine/

Creating Web or Secure Web Application Defenses
4. To configure file size limits and rejection options for Web traffic in the
Other Values area, do the following:
a. In the Scan File Size Limit (kB) field, specify the maximum file size
that will be allowed in kB. If a file exceeds the size specified in this
field, filtering will not take place and the file will be denied.
b. To reject all files in the event that scanning is not available, select the
Reject All Files If Scanning Is Unavailable check box. (If you select this
option, the connection will be dropped if scanning is unavailable.)
Configuring MIME filtering rules
When you click New or Modify beneath the MIME/Anti-Virus Filter Rules
area, the MIME Rule Edit window appears. This window allows you to
add or modify MIME/Anti-Virus filtering rules.
Important: Rules that are configured with an allow or deny action will allow or deny
traffic based on the rule criteria that is defined for those rules. Allow and deny rules do not
perform virus scanning. To perform virus scanning for traffic that matches a rule before it is
allowed, you must specify Virus Scan in the rule’s Action field.
By default, a single allow rule is contained in the filter rule table. If
you choose to leave the default allow rule as the last rule in your table
(that is, all traffic that isn’t explicitly denied will be allowed), you will
need to configure the appropriate virus scan and/or deny rules and
place them in front of the default allow rule. If you configure the
default rule action to deny (that is, all traffic that is not explicitly
allowed will be denied) you will need to configure the appropriate
virus scan and/or allow rules and place them in front of the default
deny rule.
To create MIME/Anti-Virus rules, follow the steps below.
Note: Rules that specify both a MIME type/subtype and file extensions will allow or deny
any traffic that matches either the MIME Type or a File Extension type. That is, the traffic
does not need to match both criteria to match the rule.
1. In the MIME Type drop-down list, select the MIME type for which you
want to filter. If you select the asterisk (*) option, the filter rule will ignore
this field when determining a match.
Configuring Application Defenses 6-15

Creating Web or Secure Web Application Defenses
6-16 Configuring Application Defenses
2. In the MIME Subtype drop-down list, select a subtype for the MIME type
that you selected in the previous step (the available options will vary
depending on the MIME type you selected in the previous step). If you
select the asterisk (*) option, the filter rule will ignore this field when
determining a match.
3. In the File Extensions area, specify the type of file extensions that you
want to filter:
Ignore Extensions (*)—Select this option to ignore extensions
when determining a match.
Archive Extensions—Select this option to specify basic archive
extensions (such as .tar, .zip, etc.) for the specified MIME types/subtype.
Standard Extensions—Select this option to specify the standard
file extensions associated with the selected MIME type/subtype.
For example, if you select text in the MIME Type field, and HTML in
the MIME Subtype field, the .htm and .html file extensions will
appear in the standard list.
Custom—Select this option to create a custom list of file
extensions for the selected MIME type/subtype. To add a file
extension to the list, click New and see “Configuring the Add New
File Extension window” on page 6-17. To delete a file extension,
select the extension you want to delete and click Delete. You can
use the Reset button to clear all extensions from the list, or to
select a different file extension list (Archive or Standard).
4. In the Action area, select one of the following options:
Allow—Select this option if you want to explicitly allow the file
extensions that you specified in the previous steps. (Virus scanning
will not be performed.)
Deny—Select this option if you want to explicitly deny the file
extensions that you specified in the previous steps. (Virus scanning
will not be performed.)
Virus Scan—Select this option if you want to perform virus
scanning on the file extensions that you specified in the previous
steps. The type of scanning that is performed will be determined
by the option(s) configured in the Type of Scanning area. If no
viruses are detected, the file will be allowed through the system.

Creating Web or Secure Web Application Defenses
Configuring the Add New File Extension window
This window allows you to specify additional file extensions on which
to filter. In the File Extension field, type the extension that you want to
add, and then click Add. The file extension is added to the Custom file
extension list. If you select the Custom file extension option, all file
extensions listed in the box will be allowed, denied, or filtered
depending on the action you select.
Configuring the Default filtering rule action
The default filter rule is a catch-all rule designed to occupy the last
position in your rule table. To modify the default action for the default
MIME filtering rule, do the followings:
1. Select the default rule in the table and click Modify. The MIME Default
Action window appears.
2. Select the appropriate action for this rule and then click OK.
Allow—The default rule is initially configured to allow all data that
does not match other filter rules. If you leave the default rule as an
allow rule, you must create filter rules that require virus scanning or
explicitly deny any MIME types that you do not want to allow, and
place them in front of the default allow rule.
Deny—If you prefer the default rule to deny all data that did not
match a filter rule, you must create the appropriate virus scan and
allow rules and place them in front of the default deny rule.
Virus Scan—If you want to perform virus scanning for traffic that
does not match any allow or deny filter rules you create, select this
option. You will then need to create the appropriate allow and
deny rules that will not require scanning.
Configuring the Web/Secure Web Content Control tab
To configure content control properties for a Web/Secure Web
defense, click the Content Control tab. The following window
appears.
Configuring Application Defenses 6-17

Creating Web or Secure Web Application Defenses
Figure 6-7. Web/Secure
Web Content Control tab
About the Content Control
tab
6-18 Configuring Application Defenses
The Content Control tab allows you to configure filtering to deny
certain types of embedded objects. Follow the steps below.
Note: If you are configuring a Web or Secure Web defense for type Server, you will only be
allowed to select the Deny SOAP option. If you are configuring a Web defense for type
Client, the Deny SOAP option is not available.
1. Select the Deny ActiveX Controls check box to scrub the ActiveX
embedded objects from the Web content.
2. Select the Deny Java Applets check box to scrub the Java Applet objects
from the Web content.
3. Select the Deny Scripting Languages check box to scrub scripting
languages from the Web content.
4. Select the Deny SOAP check box to scrub SOAP embedded objects from
the Web content. In some cases, selecting this option can cause the
entire page to be denied if it contains SOAP embedded objects.
Configuring the Web/Secure Web Connection tab
The Web/Secure Web Connection tab allows you to configure basic
connection properties, such as the type of connection that will be
allowed (transparent, non-transparent, or both), timeout properties,
and fast path session properties. You can also configure whether to
send traffic to an upstream proxy.
Configuring connection properties is common to most Application
Defenses. For information on configuring the Connections tab, see
“Configuring connection properties” on page 6-48.
Note: Click the Save icon to save your changes when you are finished configuring an
Application Defense.

Creating Web
Cache Application
Defenses
Figure 6-8. Application
Defenses: Web Cache
window
Creating Web Cache Application Defenses
To configure Web Cache Application Defenses, in the Admin Console
select Policy Configuration -> Application Defenses -> Defenses -> Web
Cache. The following window appears. (Figure 6-8 displays only the
bottom portion of the window.)
Configuring the Web Cache Application Defense window
This window allows you to configure SmartFilter properties for the
Web Proxy server (Squid). Follow the steps below.
Note: You must configure and enable your SmartFilter software before this defense will
be effective in your policy. See “Configuring the Web proxy server” on page 12-12 and
“Configuring SmartFilter on the Sidewinder G2” on page A-3.
1. Configure the SmartFilter category table.
The SmartFilter category table displays the available SmartFilter
categories, as well as the configured properties for each category. To
modify the properties for a SmartFilter category, select the category
that you want to modify, and click Modify. See “Modifying a SmartFilter
category” on page 6-20.
2. To filter URLs to deny specific file extension types, click New in the
Denied File Extensions area. To modify an existing file extension, select
the file extension you want to modify and click Modify in the Denied File
Extensions area. See “Configuring the SmartFilter File Extension
window” on page 6-21 for information about adding or modifying a
denied file extension.
Configuring Application Defenses 6-19

Creating Web Cache Application Defenses
6-20 Configuring Application Defenses
3. [Conditional] To slow the download process for filtered sites, in the
Delay field type the amount of time (in seconds) that you want to delay
the Web page display.
Delaying the download time discourages users from browsing certain
sites because it takes longer for those pages to be displayed. Valid
values are from 1–999.
Note: The Delay field applies to ALL categories in a rule that are set to Delay. For
example, if you have set Chat, Entertainment, and Art/Culture to delay, and enter
30 seconds in the Delay field, sites that fall into any of the three categories will be
delayed by 30 seconds.
4. To deny Web access if a user attempts to access a site using an IP
address rather than a URL, select the Deny IP Addresses check box.
Secure Computing recommends enabling this check box.
5. To deny unclassified personal pages (pages that consist of
uncategorized URLs that contain a tilde, such as
www.rootsweb.com/~wgnorway/), select the
Deny Unclassified Personal Pages check box.
Note: This option does NOT refer to the Personal Pages category. It only refers to
pages that contain a tilde (~), as described above.
6. Click the Save icon to save your changes when you are finished
configuring an Application Defense.
Modifying a SmartFilter category
When you select a SmartFilter category and click Modify in the
SmartFilter tab, the SmartFilter Modification window appears. This
window enables you to change the settings for the selected
SmartFilter category. The Category field in the top portion of the
window displays the SmartFilter category you selected for
modification. Follow the steps below.
1. In the Permission field, specify whether access to the selected
SmartFilter category will be allowed or denied by selecting the
appropriate option from the drop-down list.

Creating Mail
Application
Defenses
Creating Mail Application Defenses
2. In the Special Handling field, specify whether SmartFilter will process
Web requests to this category in a special manner. Valid options are:
None—No special handling is performed.
Coach—A predefined message is displayed to users informing
them that the site has been filtered, but allows them to proceed at
their own risk. The predefined message can be modified by editing
the /usr/local/squid/etc/errors/ERR_SCC_SMARTFILTER_COACH file.
For information on configuring this file, see “Configuring advanced
SmartFilter options” on page E-6.
Note: The Coaching feature works with all Internet Explorer browsers and with
Netscape browsers at version 6.0 or greater.
Delay—Slows the download process of filtered sites. This
discourages users from browsing certain sites because it takes
longer for those pages to be displayed. The delay time is specified
on the Set SmartFilter Delay field on the main SmartFilter tab.
Configuring the SmartFilter File Extension window
This window allows you to specify file extensions that will be denied.
To add a file extension that you want to deny, type the extension in
the Denied File Extension window. Do not include a period (.) in front
of the file extension.
Mail Application Defenses are used in SMTP proxy rules. To configure
Mail Application Defenses, in the Admin Console select Policy
Configuration -> Application Defenses -> Defenses -> Mail. The following
window appears. (Figure 6-9 displays only the bottom portion of the
window.)
Note: You must have Secure Split SMTP mail servers configured to use mail filtering.
Configuring Application Defenses 6-21

Creating Mail Application Defenses
Figure 6-9. Application
Defenses: Mail window
6-22 Configuring Application Defenses
Configuring the Mail Control tab
This tab allows you to configure filtering for mail services. The Anti-
Relay feature prevents your mailhost from being used by a hacker as a
relay point for spam to other sites. This option is automatically
enabled for all mail defenses and cannot be disabled.
To configure a Mail Application Defense, follow the steps below.
1. To enable (or disable) a particular type of filtering, you must select the
appropriate check box in the Enable Mail Filters area. Once you enable a
mail filter, you can configure it by selecting the appropriate tab. You
cannot configure a mail filter unless you have selected it in this tab. The
following filters can be enabled:
Size Filter—The Size filter allows you to specify the maximum size
for mail messages. To configure the Size filter once it has been
enabled, select the Size Filter tab and see “About the Mail Size tab”
on page 6-23.
Keyword Search Filter—The Keyword Search filter allows you to
filter mail messages based on the presence of defined key words
(character strings). To configure the Keyword Search filter once it
has been enabled, select the Keyword Search tab and see “About
the Keyword Search tab” on page 6-24.
MIME/Anti-Virus Filter—The MIME/Anti-Virus Filter allows you to
configure MIME and Anti-virus filtering for e-mail messages. To
configure the MIME/Anti-Virus filter once it has been enabled,
select the MIME tab and see “Configuring the Mail MIME/Virus tab”
on page 6-26.

Figure 6-10. Mail Size tab
Creating Mail Application Defenses
Anti-Spam Filter—The Anti-Spam filter allows you to filter out mail
messages that fall under the “spam” profile. The Anti-Spam filter
can only be enabled or disabled in this window. To enable Anti-
Spam filtering, select this check box. To disable Anti-Spam filtering,
deselect the check box.
If desired, you can modify the default actions for the Anti-Spam
filter in the appropriate configuration file(s) using the Admin
Console File Editor. See “Configuring advanced anti-spam options”
on page 11-13 for details.
2. To specify how mail messages that are rejected should be handled,
select one of the following options in the Rejected Mail Handling field:
Discard—Select this option if you want to discard rejected mail
messages without notifying the sender.
Return to Sender—Select this option if you want to send a
rejection notice to the sender.
Note: If a message is denied by the MIME/Anti-Virus filter rules (configured in the
MIME/Virus tab), that message will be discarded without sending a rejection notice
regardless of which option you select here.
Configuring the Mail Size tab
To configure size restrictions for a Mail defense, select the Size tab.
The following window appears.
About the Mail Size tab The Size filter checks e-mail messages for the number of bytes the
message contains, including the message header. A message is
rejected if it is greater than or equal to the threshold size you specify
when you configure a filter.
Configuring Application Defenses 6-23

Creating Mail Application Defenses
Figure 6-11. Keyword
Search tab
About the Keyword Search
tab
6-24 Configuring Application Defenses
To configure the Size filter, in the Maximum Message Size field specify
the maximum message size (in kB) that will be allowed to pass
through the Sidewinder G2. The default is 1024kB. Valid values are
1–2147483647 kB.
Configuring the Mail Keyword Search tab
To configure key words (character strings) that will be filtered for a
Mail defense, select the Keyword Search tab. The following window
appears.
The Keyword Search tab allows you to configure the Sidewinder G2
to perform a search for specified character set(s), or key words, within
an e-mail message. If the filter finds a specific number of key word
matches, the message is rejected. If the filter does not match a specific
number of key words, it passes the message onto the next filter or to
the intended recipient.
Important: You must enable the kmvfilter server in the appropriate burbs before the
keyword search feature will function. For information on enabling the kmvfilter server, see
“Enabling and disabling servers” on page 3-30.
To configure character sets to search for, follow the steps below.
1. In the Minimum Number of Phrase Matches Required for Rejection of
Message field, specify the number of key word matches that must be
found in a message before it is rejected.

Creating Mail Application Defenses
2. In the Total Number of Phrase Matches to Verify Before Rejection field,
specify whether the filter will search the entire message for key words,
or whether it will stop searching for key words if the minimum number
of matches is met:
Minimum—Select this option if you want the filter to stop
searching and fail the message if the minimum number of key
word matches is met. This is based on the number that you enter
in the previous step. The filter will reject a mail message once the
minimum number of key words are matched.
All—Select this option if you want the filter to continue searching
the message for key words after the minimum number of key
word matches is met, for auditing purposes. After searching the
entire message for key word matches, the message is rejected.
3. The Phrase List table provides the list of phrases that will be filtered for
this Application Defense. The table contains three columns:
Before—This column indicates whether a space is required
immediately before the specified phrase to match the filter. An
asterisk (*) indicates that the phrase will not match unless there is a
space immediately in front of the phrase.
Phrase Text—This column lists each phrase for which the filter will
search.
After—This column indicates whether a space is required
immediately after the specified phrase to match the filter. An
asterisk (*) indicates that the phrase will not match unless there is a
space immediately following the phrase.
To add a phrase, click New. To modify a phrase, highlight the
appropriate row and click Modify. The Keyword Search: Phrase Edit
window appears.
Configuring the Keyword Search: Phrase Edit window
When you click New or Modify beneath the Phrase List area, the
Keyword Search Phrase Edit window appears. This window allows
you to add or modify character strings (known as “key words”).
Follow the steps below.
1. In the Text field, type the text you want to filter. You can include any
printable character, as well as spaces. However, the character string
must consist of at least two characters.
Note: Some special characters, such as a space, will be displayed in the Key Word list
using their hexadecimal equivalents.
Configuring Application Defenses 6-25

Creating Mail Application Defenses
6-26 Configuring Application Defenses
You can also define a key word entry that consists partly or entirely of
binary characters. The binary characters you want to search for are
entered into the Key Word list using their hexadecimal equivalents. Each
character must be preceded with a back slash (\). This distinguishes the
character from a regular character. You can specify several characters in
a row, but each character must be preceded by a back slash. You can
also intermingle the binary characters with regular characters. For
example, the following are valid entries in the Key Word list:
— \ac\80\fe
— \ff\00\fb\40secrets
— password\df\01\04
Valid hexadecimal characters are allowed immediately following a back
slash. To use the back slash character as part of a key word entry, you
must type a double back-slash (\\).
Note: The exception is \0a (the new line character). The filter will not detect a key
word that contains this character unless it is the first character in the key word entry
or unless the character is preceded by \0d (the line feed) character (e.g., \0d\0a).
2. If you want to require that there be white space directly in front of and/
or after a key word, select the Require whitespace immediately before
phrase and/or Require whitespace immediately after phrase check
boxes, accordingly. This prevents the filter from misidentifying character
strings that innocently appear as part of another word.
For example, if you require whitespace before and after the key word
“for,” words like “forest,” “formula,” “information,” and “uniform” will be
allowed to pass through the filter, while the word “for” would not. If you
do not require whitespace before and after the key word “for,” the “for”
string within the word would match the filter and cause the message to
be rejected (if the specified number of matches are found).
3. To add the new or modified key word, click OK.
Configuring the Mail MIME/Virus tab
To configure MIME and anti-virus filtering options for a Mail defense,
select the MIME/Virus tab. The following window appears.

Figure 6-12. Mail MIME/
Virus tab
About the Mail MIME/Virus
tab
Creating Mail Application Defenses
The MIME/Virus tab allows you to configure MIME and virus filtering
services. The tab contains a rule table that displays any MIME/Anti-
Virus filtering rules that have been created. It also contains various
virus scanning and handling configuration options.
Important: You must license and configure additional services before the MIME/Anti-
Virus filter rules you create will scan mail messages. See “Configuring scanning services” on
page 3-34.
Note: The fields in this tab will be disabled unless you select the MIME/Virus check box
on the Control tab.
To configure MIME/Virus properties for an Application Defense,
follow the steps below.
Security Alert: If you want to perform virus scanning, you must create the appropriate
rules with Virus Scan selected in the Action field. Rules that are configured only to allow or
deny traffic based on rule criteria will not perform virus scanning. (See step 2 for
information on configuring MIME/Anti-virus filter rules.)
1. In the Type of Scanning area, you can configure virus scanning for
known and/or unknown viruses, as follows:
If you select Scan for Known Viruses only, messages that match a
rule requiring virus scanning will be scanned only for viruses with
known signatures.
If you select Scan for Unknown Viruses only, messages that match a
rule requiring virus scanning will be scanned only for unknown
signatures using heuristic methods.
If you select both Scan for Known Viruses and Scan for Unknown
Viruses, messages that match a rule requiring virus scanning will
be scanned for both known and unknown virus signatures.
Configuring Application Defenses 6-27

Creating Mail Application Defenses
6-28 Configuring Application Defenses
Note: If you do not select at least one of the scanning options and you have filter
rules configured that require virus scanning, messages that match those rules will
NOT be scanned for known virus signatures by default.
2. Configure the appropriate MIME/Anti-Virus filter rules in the MIME/Anti-
Virus Filter Rules table, as follows:
Create a new filter rule—To create a new filter rule, click New and
see “Configuring MIME filtering rules” on page 6-15.
Modify an existing filter rule—To modify an existing filter rule,
select the rule you want to modify, and click Modify. See
“Configuring MIME filtering rules” on page 6-15. (If you are
modifying the default MIME filtering rule, see “Configuring the
Default filtering rule action” on page 6-17.)
Delete a filter rule—To delete an existing filter rule, select the rule
you want to delete and click Delete. You will be prompted to
confirm your decision.
3. To quarantine infected files for later viewing, select Quarantine Files. If
you select this option, the files will be quarantined in:
/var/log/vscan/quarantine/
4. To configure file size limits and rejection options for mail messages in
the Other Values area, do the following:
a. In the Scan File Size Limit (kB), specify the maximum file size that will
be allowed (in kB). If a file exceeds the size specified in this field,
scanning will not take place and the file will be denied.
b. To reject all files in the event that scanning is not available, select the
Reject All Files If Scanning Is Unavailable check box. (If you select this
option, the connection will be dropped if scanning is unavailable.)
c. Select Full Scan of Entire Mail Message if you want to perform
scanning on the entire mail message (that is, the message with all of
its MIME types is scanned as a single entity). If this check box is
deselected, each piece of the mail message will be scanned and
handled independently.

Configuring MIME filtering
rules
Creating Mail Application Defenses
When you click New or Modify beneath the MIME/Anti-Virus Filter
Rules area, the MIME Rule Edit window appears. This window allows
you to add or modify a MIME filtering rule.
Important: Rules that are configured with an Allow or Deny action will allow or deny
messages based on the rule criteria that is defined within the rule. Allow and deny rules do
not perform virus scanning. To perform virus scanning for messages that match a rule
before it is allowed, you must specify Virus Scan in the rule’s Action field.
By default, a single allow rule is contained in the filter rule table. If
you choose to leave the default allow rule as the last rule in your table
(that is, all mail that isn’t explicitly denied will be allowed), you will
need to configure the appropriate virus scan and/or deny rules and
place them in front of the default allow rule.
If you configure the default rule action to deny (that is, all mail that is
not explicitly allowed will be denied) you will need to configure the
appropriate virus scan and/or allow rules and place them in front of
the default deny rule. In this scenario, if you want to allow multi-part
mixed MIME elements within a mail message (which is fairly
common) you will need to create an allow rule with Multipart selected
in the Type field and Mixed selected in the Subtype field. If you do not
create this type of allow rule when using a default deny rule, any mail
message that contains multiple MIME types will be denied.
To configure MIME/Virus Filter rules, follow the steps below.
Note: Rules that specify both a MIME type/subtype and file extensions will allow or deny
any traffic that matches either the MIME Type or a File Extension type. That is, the traffic
does not need to match both criteria to match the rule.
1. In the MIME Type drop-down list, select the MIME type for which you
want to filter. If you select the asterisk (*) option, the filter rule will ignore
this field when determining a match.
2. In the MIME Subtype drop-down list, select a subtype for the MIME type
that you selected in the previous step (the available options will vary
depending on the MIME type you selected in the previous step). If you
select the asterisk (*) option, the filter rule will ignore this field when
determining a match.
Configuring Application Defenses 6-29

Creating Mail Application Defenses
6-30 Configuring Application Defenses
3. In the File Extensions area, specify the type of file extensions that you
want to filter:
Ignore Extensions (*)—Select this option to ignore extensions
when determining a match.
Archive Extensions—Select this option to match basic archive
extensions (such as .tar, .zip, etc.).
Standard Extensions—Select this option to match standard file
extensions associated with the selected MIME type/subtype. For
example, if you select text in the MIME Type field, and HTML in the
MIME Subtype field, the .htm and .html file extensions will appear in
the standard list.
Custom—Select this option to create a custom list of file
extensions for the selected MIME type/subtype. To add a file
extension to the list, click New and see “Configuring the Add New
File Extension window” on page 6-17. To delete a file extension,
select the extension you want to delete and click Delete. You can
use the Reset button to clear all extensions from the list, or to
select a different file extension list (Archive or Standard).
4. In the Action area, select one of the following options:
Allow—Select this option if you want to explicitly allow the file
extensions that you specified in the previous steps. (Virus scanning
will not be performed.)
Deny—Select this option if you want to explicitly deny the file
extensions that you specified in the previous steps. (Virus scanning
will not be performed.)
Virus Scan—Select this option if you want to perform virus
scanning on the file extensions that you specified in the previous
steps. The type of scanning that is performed will be determined
by the option(s) configured in the Type of Scanning area. If no
viruses are detected, the file will be allowed through the system.
Configuring the Add New File Extension window
This window allows you to customize the file extensions on which to
filter. In the File Extension field, type the extension that you want to
add, and then click Add. The file extension is added to the Custom file
extension list. When you select the Custom file extension option, all
file extensions listed in the box will be allowed, denied, or filtered
depending on the action you select.

Creating Citrix
Application
Defenses
Figure 6-13. Application
Defenses: Citrix window
Configuring the Default filter rule action
Creating Citrix Application Defenses
The default filter rule is a catch-all rule designed to occupy the last
position in your rule table. To modify the default action for the default
MIME filtering rule, do the followings:
1. Select the default rule in the table and click Modify. The MIME Default
Action window appears.
2. Select the appropriate action for this rule and then click OK.
Allow—The default rule is initially configured to allow all messages
that do not match other filter rules. If you leave the default rule as
an allow rule, you must create filter rules that require virus
scanning or explicitly deny any MIME types that you do not want
to allow, and place them in front of the default allow rule.
Deny—If you prefer the default rule to deny all data that did not
match a filter rule, you must create the appropriate virus scan and
allow rules, and place them in front of the default deny rule.
Virus Scan—If you want to perform virus scanning for messages
that do not match other allow or deny filter rules, select this
option. You will then need to create the appropriate allow and
deny rules that will not require scanning.
To configure Citrix Application Defenses, in the Admin Console select
Policy Configuration -> Application Defenses -> Defenses -> Citrix. The
following window appears. (Figure 6-13 displays only the bottom
portion of the windows.)
Configuring Application Defenses 6-31

Creating Citrix Application Defenses
Figure 6-14. Citrix Filters
tab
6-32 Configuring Application Defenses
Configuring the Citrix Enforcements tab
The Enforcements tab allows you to enable or disable Citrix filtering.
You will not be able to configure filtering on the Citrix Filter tab
unless the Citrix Filters check box is selected. When this check box is
selected, the values you configure in the Citrix Filters tab will be
enforced. To disable Citrix filtering, deselect the Citrix Filters check
box.
Configuring the Citrix Filters tab
To configure the Citrix Filters tab, select the tab. The following
window appears.
About the Citrix Filters tab The Citrix Filters tab allows you to configure filtering properties for
Citrix. To configure filters in Citrix, select the items that you want to
deny. Each entry in the list represents a type of application or
communication channel supported by Citrix. A check box will appear
in front of types that will be denied. Deselect the check boxes for the
items you want to allow in Citrix.
To deny all of the types listed, click Select All. To allow everything (no
filter restrictions), click Deselect All.

Creating FTP
Application
Defenses
Figure 6-15. Application
Defenses: FTP Filter
window
Configuring the Citrix Connections tab
Creating FTP Application Defenses
The Citrix Connections tab allows you to configure timeout properties
and specify whether fast path sessions will be disabled.
Configuring connection properties is common to most Application
Defenses. For information on configuring the Connections tab, see
“Configuring connection properties” on page 6-48.
Note: Click the Save icon to save your changes when you are finished configuring an
Application Defense.
To configure FTP Application Defenses, in the Admin Console select
Policy Configuration -> Application Defenses -> Defenses -> FTP. The
following window appears. (Figure 6-15 displays only the bottom
portion of the window.)
Configuring the FTP Filter tab
This tab allows you to specify the FTP commands (permits) that you
want to allow your users to issue. The available FTP commands as
well as a description of each is included in the Allowed FTP Permits
area.
Configuring Application Defenses 6-33

Creating IIOP Application Defenses
Creating IIOP
Application
Defenses
6-34 Configuring Application Defenses
Select one of the following options:
None—Select this option if you do not want to allow any FTP
permits. (None of the check boxes will be selected.)
All—Select this option if you want to allow all of the FTP permits
that are displayed. (All of the check boxes will be selected.)
Custom—Select this option if you want to allow only certain FTP
permits. To select the FTP permits that will be allowed, click the
appropriate check box. A check mark appears in front of
commands that are allowed.
Note: If you select None or All and then make modifications to the commands, the
Custom option will automatically become selected.
Configuring the FTP Connection tab
The FTP Connection tab allows you to configure timeout and fast path
session properties, as well as the type of connection that will be
allowed (transparent, non-transparent, or both).
Configuring connection properties is common to most Application
Defenses. For information on configuring the Connections tab, see
“Configuring connection properties” on page 6-48.
Note: Click the Save icon to save your changes when you are finished configuring an
Application Defense.
To configure IIOP Application Defenses, in the Admin Console select
Policy Configuration -> Application Defenses -> Defenses -> IIOP. The
following window appears. (Figure 6-17 displays only the bottom
portion of the windows.)

Figure 6-16. Application
Defenses: IIOP Filter tab
Creating IIOP Application Defenses
About the IIOP Filter tab The IIOP Filter tab allows you to configure the following options:
Allow Bi-directional GIOP—Select this option to enable support for
bi-directional 1.2 GIOP (General Inter-ORB Protocol).
Validate Content Format—Select this option to filter the message
encapsulated in the GIOP PDU, and verify that the header content,
message direction, and message length are valid for the GIOP
message type identified in the GIOP header.
Note: The data in the GIOP header portion of the PDU is always validated.
Configuring the IIOP Connection tab
The IIOP Connection tab allows you to configure timeout and fast
path session properties, as well as the maximum allowed message
size.
Configuring connection properties is common to most Application
Defenses. For information on configuring the Connections tab, see
“Configuring connection properties” on page 6-48.
Note: Click the Save icon to save your changes when you are finished configuring an
Application Defense.
Configuring Application Defenses 6-35

Creating Multimedia Application Defenses
Creating
Multimedia
Application
Defenses
Figure 6-17. Application
Defenses: Multimedia
6-36 Configuring Application Defenses
To configure Multimedia Application Defenses, in the Admin Console
select Policy Configuration -> Application Defenses -> Defenses ->
Multimedia. The following window appears. (Figure 6-17 displays only
the bottom portion of the windows.)
Configuring the Multimedia General tab
This tab allows you to enable the multimedia applications you want to
configure. You cannot configure the H.323 Filter or T.120 Filter tabs
unless you have selected the appropriate check box on the
Multimedia-General tab. The following options are available:
Enforce Permission Checking for H.323—Select this option to enable
the H.323 filter. To configure H.323 properties, see “Configuring
the H.323 Filter tab” on page 6-36.
Enforce Permission Checking for T120—Select this option to enable the
T.120 filter. To configure T.120 properties, see “Configuring the
T120 Filter tab” on page 6-38.
Note: For more information on H.323 or T.120, see “T.120 and H.323 proxy
considerations” on page 8-22.
Configuring the H.323 Filter tab
This tab allows you to select H.323 codecs you will allow your users
to access. You can select from the following options:

Creating Multimedia Application Defenses
Required—Select this option to allow only the codecs required by
H.323 for compliance.
Required + Low Bandwidth Audio—Select this option to allow the
required H.323 codecs as well as low bandwidth options.
Required + All Audio—Select this option to allow all H.323 codecs
except the codecs that allow video.
Required + All Audio + Video—Select this option to allow all available
H.323 codecs.
Custom—Select this option to specify which codecs you want to
allow. To allow a codec, select the appropriate check box. A check
mark appears in the corresponding check box when a codec is
allowed.
Select All—Click this button to select all of the H.323 codecs (all
codecs will be selected).
Deselect All—Click this button to deselect all of the H.323 codecs
(all codecs will be deselected).
Note: If you select an option other than Custom and then make modifications to the
selected codecs, the Custom option will automatically become selected.
The following list provide an example of codecs commonly used by
Microsoft’s NetMeeting:
G.711—The G.711 codec options can transmit audio at 48, 56, and
64 kB per second (kBps). Select this codec for audio that is being
passed using high speed connections.
G.723—The G.723 codec options determine which format and
algorithm will be used for sending and receiving voice
communications over a network. This codec transmits audio at 5.3
and 6.3 kBps, which will reduce bandwidth usage.
H.261—The H.261 codec will transmit video images at 64 kBps
(VHS quality). Select this codec for video that is being passed
using high speed connections.
H.263—The H.263 codec determines which format and algorithm
will be used to send and receive video images over a network.
This codec supports common interchange format (CIF), quarter
common interchange format (QCIF), and sub-quarter common
interchange format (SQCIF) picture formats. It is also a good match
for Internet transmission over low-bit-rate connections (for
example, a 28.8 kBps modem).
Configuring Application Defenses 6-37

Creating Oracle Application Defenses
Creating Oracle
Application
Defenses
6-38 Configuring Application Defenses
Configuring the T120 Filter tab
This tab allows you to specify which T.120 services you will allow
your users to access. One of the more common T.120 applications is
Microsoft’s Netmeeting. You can select from the following options:
Whiteboard (T.126)
File transfer (T.127)
Base application sharing (T.128)
Legacy application sharing (T.128)
Chat (Microsoft specific)
Configuring the Multimedia Connection tab
The Multimedia Connections tab allows you to configure timeout
properties for the T.120 and H.323 proxies. To configure the
properties for one of the proxies, either double-click the entry in the
table, or highlight the entry and click Modify. The Connection window
appears.
For information on configuring the Connections window, see
“Configuring connection properties” on page 6-48.
Note: Click the Save icon to save your changes when you are finished configuring an
Application Defense.
To configure Oracle Application Defenses, in the Admin Console
select Policy Configuration -> Application Defenses -> Defenses -> Oracle.
The following window appears. (Figure 6-18 displays only the bottom
portion of the windows.)

Figure 6-18. Application
Defenses: Oracle
Enforcements window
Configuring the Enforcements tab
Creating Oracle Application Defenses
The Enforcements tab allows you to enable or disable Oracle service
name checking. Service name checking allows you to restrict access to
the SQL server by specifying which service names will be explicitly
allowed. If service name checking is enabled, only sessions that match
a service name specified in the Service Name (SID) tab will be
allowed.
You cannot configure service name checking on the Service Name
(SID) tab unless the Enforce Service Name Checking check box is
selected. When this check box is selected, the values you configure in
the Service Name (SID) tab will be enforced. To disable service name
checking, deselect the Enforce Service Name Checking check box.
Configuring Application Defenses 6-39

Creating Oracle Application Defenses
About the Service Name
(SID): New Service Name
window
6-40 Configuring Application Defenses
Configuring the Service Name (SID) tab
The Service Name (SID) tab allows you to configure which service
names will be allowed access to the SQL server. If you do not specify
any service names, service names will not be used in determining
whether a session is allowed or denied.
To configure a service name, click New. See “About the Service Name
(SID): New Service Name window” on page 6-40.
To modify a service name, highlight the service name you want to
modify, and click Modify. See “About the Service Name (SID): New
Service Name window” on page 6-40.
To delete a service name, highlight the service name you want to
modify, and click Delete.
The New Service Name window allows you to create or modify a
service name. In the Service Name (SID) field, enter the service name
you want to add or modify and then click OK.
Important: The service name you enter in this field must be an exact match (including
capitalization) of the full service name that is in the Oracle tnsnames.ora file in order for
those sessions to be allowed. The use of wildcards or substrings is not supported at this
time.
Configuring the Oracle Connection tab
The Oracle Connections tab allows you to configure timeout, fast path
session, and connection timeout properties.
Configuring connection properties is common to most Application
Defenses. For information on configuring the Connections tab, see
“Configuring connection properties” on page 6-48.
Note: Click the Save icon to save your changes when you are finished configuring an
Application Defense.

Creating SOCKS
Application
Defenses
Figure 6-19. Application
Defenses: SOCKS5
Creating SOCKS Application Defenses
To configure SOCKS Application Defenses, in the Admin Console
select Policy Configuration -> Application Defenses -> Defenses -> SOCKS.
The following window appears. (Figure 6-19 displays only the bottom
portion of the windows.)
Configuring the SOCKS 5 Filter tab
The SOCKS 5 Filter tab allows you to configure the type of SOCKS
traffic that will be allowed when using the SOCKS5 proxy. The
following options are available:
Allow TCP SOCKS traffic—Select this option to allow TCP traffic.
Allow UDP SOCKS traffic—Select this option to allow UDP traffic.
Allow Both—Select this option to allow both TCP and UDP traffic.
Enforce SOCKS 4 Filtering—Select this option if you want to support
SOCKS at version 4. (If this check box is not selected, you will not
be able to pass traffic using SOCKS 4.)
Configuring the SOCKS Connections tab
The SOCKS Connections tab allows you to configure timeout
properties, fast path session properties, and which ports will be open
for the SOCKS proxy.
Configuring Application Defenses 6-41

Creating SNMP Application Defenses
Creating SNMP
Application
Defenses
Figure 6-20. SNMP Filter
tab
6-42 Configuring Application Defenses
Configuring connection properties is common to most Application
Defenses. For information on configuring the Connections tab, see
“Configuring connection properties” on page 6-48.
Note: Click the Save icon to save your changes when you are finished configuring an
Application Defense.
To configure SNMP Application Defenses, in the Admin Console select
Policy Configuration -> Application Defenses -> Defenses -> SNMP. The
following window appears. (Figure 6-20 displays only the bottom
portion of the windows.)
Configuring the SNMP Filter tab
This tab allows you to specify the SNMP version you want to
configure. The options that you are allowed to configure within the
subsequent SNMP tabs will vary depending on which option you
select. The following options are available:
Allow SNMP v1 filtering—Select this option to allow SNMP v1 traffic
and configure object ID (OID) filtering. For information on
configuring OID filtering for SNMP v1 traffic, see “Configuring the
SNMP v1 tab” on page 6-43.
Allow SNMP v2c traffic—Select this option to allow SNMP v2c traffic.
OID filtering is not available for SNMP v2c traffic. For information
on configuring connection timeout properties, see step 2 on page -
43.

Creating SNMP Application Defenses
Allow SNMP v1 and v2c traffic—Select this option to allow SNMP v1
and v2c traffic. OID filtering is not available when both SNMP v1
and v2c are allowed. For information on configuring connection
timeout properties, see “Configuring connection properties” on
page 6-48.
Configuring the SNMP v1 tab
This tab allows you to configure Object ID (OID) filtering for SNMP
v1 traffic. Follow the steps below.
Note: Filtering is not available for SNMP v2c. If you selected Allow SNMP v2c Traffic or
Allow SNMP v1 and v2c Traffic on the SNMP Filter tab, you cannot configure any options
on this tab.
1. In the Options area, determine the types of requests and events that the
SNMP proxy will filter, as follows:
Allow Read Requests—Select this option to allow the Get and
Get Next requests. (If you select SNMP v2c, this is automatically
allowed.)
Allow Write Requests—Select this option to allow the Set request.
(If you select SNMP v2c, this is automatically allowed.)
Allow Notify Events—Select this option to allow v1 traps. (If you
select SNMP v2c, this is automatically allowed.)
Note: Additional SNMP requests are not supported in SNMP v1.
2. Select the Enable OIDs Filtering check box to configure object IDs (OIDs)
for the SNMP proxy. OIDs are a unique, numeric representation of a
device within the SNMP network.
3. In the Actions field, determine whether the list of OIDs that you define
will be allowed or denied, as follows:
Allow—Select this option to allow only the OIDs that you specify in
the table. All other OIDs will be denied.
Deny—Select this option to deny only the OIDs that you specify in
the table. All other OIDs will be allowed.
To add an OID to the table, click New. To modify an existing OID, select
that ID and click Modify. The OID Editing window appears. (For
information on configuring a new OID, see “Configuring the SNMP v1:
OID Editing window” on page 6-44.)
Note: To delete an existing OID, select that ID and click Delete. You will be
prompted to confirm your action.
Configuring Application Defenses 6-43

Creating SNMP Application Defenses
Figure 6-21. SNMP v1:
OID Editing window
6-44 Configuring Application Defenses
Configuring the SNMP v1: OID Editing window
This window allows you to add a new object ID (OID). You can select
from the list of standard OIDs, or you can create your own OID using
the custom option. Follow the steps below.
1. In the OID Options area, determine whether the OID will be Standard
(pre-defined) or Custom (you determine and enter the OID manually) by
selecting the appropriate radio button.
2. [Conditional] If you selected Standard in step 1, select the appropriate
OID from the Standardized OIDs drop-down list.
3. [Conditional] If you selected Custom in step 1, type the OID number in
the Customized OID field using the standard OID structure. The
numbering scheme for each object is determined by the object’s
management information base (MIB) location, as shown in Figure 6-22
below.
For example, the object ID for the SCC node in the private enterprise
portion of the network would be .1.3.6.1.4.1.1573.
Note: The object ID will always begin with the following pattern .1.3.6.1. For
assistance on obtaining object IDs, visit the Internet assigned numbers authority Web
site at www.iana.org/assignments/enterprise-numbers or contact the
appropriate vendor.

Figure 6-22. Example of
OID numbering scheme
Creating Standard
Application
Defenses
system
.1
interfaces
.2
Creating Standard Application Defenses
.2 mgmt
private .4
.1 mib2
enterprises .1
ip
.4
tcp
.6
4. Click Add or OK to add the OID to the table. Repeat these steps for each
OID you want to add or modify.
5. Click Close to return to the SNMP v1 tab.
Configuring the SNMP Connection tab
The SNMP Connections tab allows you to configure timeout
properties and the maximum protocol data unit (PDU) size.
Configuring connection properties is common to most Application
Defenses. For information on configuring the Connections tab, see
“Configuring connection properties” on page 6-48.
Note: Click the Save icon to save your changes when you are finished configuring an
Application Defense.
The Standard window allows you to configure timeout and fast-path
properties for proxies that are not listed elsewhere in the Application
Defenses tree. You can also configure transparency properties for the
Telnet proxy. To configure Standard Application Defenses, in the
Admin Console select Policy Configuration -> Application Defenses ->
Defenses -> Standard. The following window appears. (Figure 6-23
displays only the bottom portion of the windows.)
iso
org
dod
internet
..........
.1
.3
.6
.1
UNIX
.4
scc
.1573
..........
Configuring Application Defenses 6-45

Configuring Application Defense groups
Figure 6-23. Standard
Application Defense:
Connections tab
Configuring
Application
Defense groups
6-46 Configuring Application Defenses
Configuring the Standard Connections tab
To configure connection properties for a standard Application
Defense, select the Application Defense type that you want to
configure from the table, and click Modify. The Connection window
appears. See “Configuring connection properties” on page 6-48 for
information on configuring connection properties.
Note: Click the Save icon to save your changes when you are finished configuring an
Application Defense.
Application Defense groups allow you to select a single Application
Defense from each category within a single group. When you specify
an Application Defense group within a rule, only the Application
Defense(s) that apply to that rule’s services will be implemented in
the rule. Application Defense groups can only be used when
configuring rules that use service groups.
Note: For more information on how Application Defense groups are used in a rule, see
Chapter 4.
To create an Application Defense group, in the Admin Console select
Policy Configuration -> Application Defenses -> Groups. The following
window appears.

Figure 6-24. Application
Defense Group window
Configuring Application Defense groups
Configuring the Application Defense groups window
The Application Defense Group window allows you to select a
defense for each category (for example, Web, Secure Web, standard,
etc.) to include in a group. A list of which defenses are included in a
group are displayed in the table, with the following information:
Type—This column lists each of the Application Defense types
contained.
Name—This column lists the Application Defense that is currently
selected for each category.
Set—This column indicates which Application Defense is currently
selected for configuration.
To select an Application Defense for a particular category, select the
appropriate row in the table. A list of available Application Defenses
for that category appear. Select an Application Defense from the list.
The table will be updated to display the new selection as the current
Application Defense for that category. (To add or modify an
Application Defense for a category, highlight the appropriate row and
click New or Modify.)
Configuring Application Defenses 6-47

Configuring connection properties
Configuring
connection
properties
Figure 6-25. Web
Connection tab
Configuring connection
properties
6-48 Configuring Application Defenses
You can configure connection properties for most Application
Defenses. For defenses that support multiple proxies (Multimedia and
Standard), the Connections tab will display a table. To configure the
connection properties for Multimedia or Standard, select the proxy for
which you want to configure connection properties, and click Modify.
A Connection window appears. For defenses that have configurable
connection properties (Web, Secure Web, Citrix, FTP, Oracle, SOCKS5,
and SNMP) the configurable connection properties are displayed
directly in the Connection tab. Figure 6-25 shows the Connection tab
for a Web defense.
To configure the connection properties for an Application Defense,
follow the steps below. The fields that appear will vary depending on
the type of Application Defense you are configuring.
1. In the Set Timeouts (in seconds) area, do the following:
a. In the TCP Connect Timeout field, specify the length of time, in
seconds, that the proxy should attempt to connect to the server
before the proxy stops trying.
b. In the TCP Idle Timeout field, specify the length of time, in seconds,
that the connection can remain idle before it is closed.
c. [SNMP proxy only] In the Request Timeout field, specify the length of
time, in seconds, that the proxy will wait for a response from an
SNMP agent before the connection times out. (The Get, Get Next,
and Set commands request a response.)

Configuring connection properties
d. In the UDP Idle Timeout field, specify the length of time, in seconds,
that a live UDP session will live. This field is valid for Citrix, SOCKS,
and various Standard proxies.
e. To return the values to their default value, click Restore Defaults.
2. [Conditional] If you want to disallow fast path sessions, select the
Disable Fast Path Sessions check box. (In most cases, fast path sessions
enhance system performance.) Fast path sessions are allowed by
default for proxies that support this option. See “Improving
performance using Fast Path Sessions” on page 8-3 for more
information.
Note: This option is disabled by default for the IIOP Application Defense.
3. [Web/Secure Web only] To enable a proxy to communicate with a nontransparent
proxy, select the Send Traffic to Upstream Proxy option, and
configure the following options:
Note: If you allow transparent connections when using this option, the URL will be
rewritten to contain an IP address rather than a hostname. If you allow transparent
connections, you must first ensure that the upstream proxy server will accept an
IP address.
a. In the IP Address field, specify the IP address for the upstream proxy.
b. In the Port field, specify the port that will be used (for HTTP, this will
generally be port 80.)
4. [Conditional] In the Allowed Connection Types area, determine the type
of traffic that will be allowed for this Application Defense (this field
appears if you selected Web, Secure Web, Oracle [SQL]), or Telnet. The
following options are available:
Note: The default connection type for Oracle is Transparent. The default for Web,
Secure Web, and Telnet is Both.
Transparent—Select this option to allow transparent connections.
Non-Transparent—Select this option to allow non-transparent
connections.
Both—Select this option to allow both transparent and nontransparent
connections.
Note: If you are using Non-Transparent or Both, you will need to specify which
destination ports will be allowed through the proxy. See “Configuring connection
ports” on page 6-50.
Configuring Application Defenses 6-49

Configuring connection properties
6-50 Configuring Application Defenses
5. [SNMP only] In the Max PDU field, specify the maximum protocol data
unit (PDU) size that will be allowed. The default is 535. (Valid values are
120–1450.)
Note: You may want to increase this value depending on the type of device(s) you
are using. However, keep in mind that some devices cannot handle a larger value.
6. [IIOP only] In the Maximum message size (PDU) field, specify the
maximum protocol data unit (PDU) message size that will be allowed.
The default is 72000.
7. [SOCKS/Web/Secure Web only] To configure ports for a defense, click
New and see “Configuring connection ports” on page 6-50.
8. [Web only] To allow non-transparent, secure Web traffic through the
HTTP proxy, select the Allow non-transparent secure web traffic through
the web (HTTP) proxy check box.
Configuring connection ports
The Edit a Port window allows you to configure a single port or a port
range, or you can select from pre-defined ports for specific proxies by
selecting one of the following radio buttons:
Specify a Port—Select this option to specify a single port. In the Port
field, type a port number or use the up and down arrows to
display the desired port.
Specify a Port Range—Select this option to specify a port range. In
the Begin Port and End Port fields, specify the range of ports that
this proxy can use (you can either type the port numbers in the
appropriate fields or use the up and down arrows to display the
desired ports).
Use Pre-defined Ports—Select this option if you want to specify the
port(s) or port range(s) that have been pre-defined for this proxy.

C HAPTER 7
Creating Rules and Groups
About this chapter This is a task-oriented chapter that provides instructions for creating
rules and groups. It also provides instructions for modifying the active
policy rule groups.
Viewing rules and
rule groups
Note: For an overview of rules and groups, see Chapter 4.
This chapter covers the following topics:
“Viewing rules and rule groups” on page 7-1
“Creating proxy rules” on page 7-4
“Creating IP Filter rules” on page 7-12
“Creating and managing rule groups” on page 7-19
“Selecting your active policy rules” on page 7-22
To view the existing proxy and IP Filter rules currently available for
use, in the Admin Console select Policy Configuration -> Rules. The
main Rules window appears with the Proxy Rules list displayed by
default.
7
Creating Rules and Groups 7-1

7
Viewing rules and rule groups
Figure 7-1. Rules window
displaying proxy rules
About the Rules window The Sidewinder G2 contains two rule tables:
7-2 Creating Rules and Groups
Proxy rules—This table contains all of the proxy rules and groups
that were loaded during initial configuration as well as any rules
that you have created (displayed in Figure 7-1).
IP Filter rules—This table contains all of the IP Filter rules and
groups that have been created. Each row within a table contains a
single rule or group. The components of each rule are displayed in
the labeled columns.
The order of rules in the main rule tables is not important. The rule
tables are holding grounds for rules that you create. They may or may
not be included in the active rule group that enforces your security
policy. Rather, it is the order of rules and nested rule groups within
rule groups that is important. For information on ordering your rule
groups, see “Ordering proxy rules within a rule group” on page 4-5.

Viewing rules and rule groups
You can perform the following tasks in the Rules window:
View proxy or IP Filter rules and groups—To view a rule table, click the
appropriate radio button (Proxy Rules or IP Filter Rules) in the View
Option field. You can resize the columns to suit your needs by
clicking and dragging the edge of a column heading. (Use the
scroll bars to view all columns and entries listed in the table.)
Note: If you view the proxy rule table, an Inspection column will appear in front of
the Name column. A status of On indicates that all of the Application Defense
properties will be actively enforced for a rule. A status of Off indicates that only the
connection properties portion of the defense will be enforced for that rule.
Filter the table to display rules or groups—To filter the table to display
only rules or only groups, select Rules or Groups from the Filter
drop-down list. (To display both rules and groups, select No Filter.)
Add/modify a rule—To add a new rule, select the appropriate rule
view (Proxy or IP Filter) using the View Option and then click New
-> Rule. (To modify a rule, highlight the entry and click Modify.)
— To add/modify a new proxy rule, see “Creating proxy rules”
on page 7-4.
— To add/modify a new IP Filter rule, see “Creating IP Filter
rules” on page 7-12.
Add/modify a group—To add a new rule group, select the
appropriate rule view (Proxy or IP Filter) using the View Option and
then click New -> Group. For information on adding or modifying a
rule group, see “Creating and managing rule groups” on page 7-19.
(To modify a rule group, highlight the entry and click Modify.)
Delete a rule or group—To delete a rule or group, highlight the entry
you want to delete and click Delete. You cannot delete rules or
rule groups that are part of a group.
View the groups to which a rule or group belongs—To determine which
groups a rule or group belongs to, highlight the entry and click the
Members Of button. An information window appears listing the
groups to which the rule or group belongs.
Duplicate an existing rule or rule group—To duplicate a rule or group,
highlight the rule or group you want to duplicate and click
Duplicate. The Duplicate Rule Name window appears.
Creating Rules and Groups 7-3

Creating proxy rules
About the Duplicate Rule
Name window
Creating proxy
rules
Figure 7-1. Proxy Rule
window: General tab
7-4 Creating Rules and Groups
In the Duplicate Rule Name window, do the following:
1. In the Name field, type a unique name for the duplicate rule or group.
Valid values include alphanumeric characters, periods (.), dashes(-), and
underscores (_), and spaces ( ). However, the first and last character of
the name must be alphanumeric. The name cannot exceed 100
characters.
2. [Conditional] If you are creating a duplicate IP Filter rule of type Other,
select a protocol for the new rule from the Protocol drop-down list. (The
protocol does not need to be the same protocol used by the original
rule.)
3. Click Add.
This section provides information on creating proxy rules.
Note: For an overview of proxy rules, see Chapter 4.
To create a proxy rule, using the Admin Console select
Policy Configuration -> Rules. Then click New -> Proxy Rule. The Proxy
Rule window appears. (To modify a proxy rule, highlight the rule you
want to modify and click Modify.)
Important: Proxy rules that you create will not be part of the active policy unless you
place them in a rule group that is part of the active policy. For information on adding a
proxy to a rule group and ensuring that it is included in the active policy, see “Creating and
managing rule groups” on page 7-19 and “Selecting your active policy rules” on page 7-22.

Entering information on the
Proxy Rule General tab
Creating proxy rules
The General tab in the Proxy Rule window is used to enter basic
information about a proxy rule. Follow the steps below.
1. In the Name field, type a name that helps identify the purpose of the
rule. For example, the pre-configured rule that allows synchronization
between systems is called “Synchronization.” Valid values include
alphanumeric characters, periods (.), dashes(-), and underscores (_), and
spaces ( ). However, the first and last character of the name must be
alphanumeric. The name cannot exceed 100 characters.
2. In the Service Type drop-down list, select one of the following:
Note: The Service Type field determines the options that are available to you in the
Service field in step 3.
All—This option includes both proxies and servers. It does NOT
include service groups.
Proxy—This option includes proxies only.
Server—This option includes servers only.
Service Group—This option includes service groups only. For
information on service groups, see “Service groups” on page 4-12.
3. In the Service drop-down list, select the type of network service this rule
is allowing or denying. (The options that are displayed in this list are
determined by the option you selected in the previous step.)
4. In the Action drop-down list, select Allow to allow the service or Deny to
deny the service when a match occurs.
5. In the Control drop-down list, select Enable to enable the rule or Disable
to disable the rule. This allows you to disable a rule, if necessary, without
deleting it. Rules that are disabled will appear grayed out in the main
Rule window.
6. In the Audit Level drop-down list, select one of the following audit
options for this rule:
Errors Only—Select this option to generate only error audit events
for this rule. If you select this option, normal traffic will not be
logged. (This option increases performance and reduces the size
of audit logs.)
Traffic—Select this option to generate both normal traffic and
error audit events for this rule.
Informational—Select this option to generate error audit events,
normal traffic, and informational audit events for this rule.
7. [Optional] In the Description field, enter any useful information for this
rule (for example, a brief description of the rule).
Creating Rules and Groups 7-5

Creating proxy rules
Figure 7-2. Proxy Rule:
Source/Dest tab
Entering source and
destination information
7-6 Creating Rules and Groups
8. [Optional] If you want to temporarily disable the Application Defense
associated with this rule, select the Disable Defense Inspection check
box. Selecting this check box will temporarily disable all Application
Defense settings other than connection properties (timeout and fastpath
settings).
Note: This option will be grayed out if there is no Application Defense associated
with the rule.
The Source/Dest tab is used to enter source and destination
restrictions for a proxy rule. Follow the steps below.
1. In the Source Burb drop-down list, select the source burb associated
with this rule.
2. In the Destination Burb drop-down list, select the destination burb
associated with this rule.
Note: When defining inbound address redirection for a rule, you should select the
Internet (external) burb for both the Source Burb and the Destination Burb fields
unless you are redirecting internally, or if you are redirecting inbound to another
internal address.
3. In the Source list that is displayed, select the source object to use for this
rule. (If needed, you can use the Show drop-down list to filter the list to
display only one type of object.)
Note: If you need to create a network object for this rule, see step 5 below.
4. In the Destination list that is displayed, select the destination object to
use for this rule. (If needed, you can use the Show drop-down list to filter
the list to display only one type of object.)
Note: If you need to create a network object for this rule, see step 5 below.

Creating proxy rules
5. [Optional] To create a network object for this rule, do the following:
a. Click New. You will be prompted to select the type of object you
want to create.
b. Select the type of network object you want to create and click OK.
The New Network Object window appears.
c. Create the network object. When you click Add, you are returned to
the Source/Dest tab in the Proxy Rule window.
Note: For information on creating a Network Object, see “Creating network objects”
on page 5-10.
6. [Conditional] In the NAT Address drop-down list, select the object (IP
address or host) that will replace the original source address when it is
translated.
Note: If you selected a netmap in the Source field, the appropriate NAT properties
are automatically supplied based on the mapping configured for each IP address or
subnet in that netmap. For more information on netmaps, see “Netmap network
objects” on page 4-10.
Note: Do not set the NAT Address to localhost if you are using a virtual burb as your
destination burb.
7. [Conditional] In the Redirect Host drop-down list, select the host or IP
address to redirect the original destination.
Note: If you selected a netmap in the Destination field, the appropriate redirection
properties are automatically supplied based on the mapping configured for each IP
address and subnet in that netmap. For more information on netmaps, see “Netmap
network objects” on page 4-10.
8. [Conditional] In the Redirect Port field, type the port number on which
the connection will be redirected.
Creating Rules and Groups 7-7

Creating proxy rules
Figure 7-3. Proxy Rule:
Authentication tab
Entering authentication
information
7-8 Creating Rules and Groups
The Authentication tab is used to enter authentication information for
this rule.
Note: The following proxies can use authentication: FTP, nt_FTP, HTTP, HTTPS, SOCKS,
Telnet, and nt_Telnet. The following servers can use authentication: cobra, console, Telnet,
sshd, SSO, and WebProxy.
1. Select one of the following options:
Do not require Authentication—Select this option if you do not
want to require authentication for this rule.
Authentication using SSO (Single Sign On)—Select this option if
you want to allow SSO cached authentication for this rule. (If the
SSO server has not been configured, you will not be able to select
the option. See “Configuring SSO” on page 9-27.)
Authenticate using selected Authentication Methods—Select this
option to require authentication for this rule. If you select this
option, you will need to specify the types of authentication that
will be allowed for this rule by selecting the appropriate check
boxes in the Authentication Methods area. (Only methods that
have been configured and enabled will be available for selection.
For information on authentication methods, see “Supported
authentication methods” on page 9-5.)
2. [Optional] If more than one authentication method is selected, you may
specify a default method from the Default Method drop-down list. This
is the authentication method that will be used by the Sidewinder G2 if
the user does not specify an authentication method during log in
Important: The Default field is NOT used for administrative purposes (such as
logging in to the Admin Console). The default administration authentication method
is defined in the Firewall Administration-> Firewall Accounts window.

Figure 7-4. Proxy Rule:
Time tab
Creating proxy rules
3. [Conditional] In the Authorization area, select one of the following
options:
Allow all successfully authenticated users—Select this option if you
want to allow all users who successfully authenticate.
Allow only users in the selected Sidewinder User Group—Select this
option if you want to require users who belong to a particular
group to be allowed to use the service(s) specified within the rule.
By default All Users are authenticated.
[Conditional] Allow only users in the selected External Authorization
Role—This option is active only if SafeWord or LDAP is selected and
enabled. Selecting this option is similar to assigning a user group
to a proxy rule, except the group (or role in this case) is defined
within an external authentication program such as SafeWord
PremierAccess or LDAP/Active Directory. This relieves you from
having to maintain a second instance of the group (role) on the
Sidewinder G2.
Note: For additional information on configuring authentication for services, see
“Setting up authentication for services” on page 9-30.
Creating Rules and Groups 7-9

Creating proxy rules
Entering information on the
Time tab
7-10 Creating Rules and Groups
This tab allows you to determine the days and times a proxy rule is
enabled. You can also specify whether a proxy rule is temporary and
will expire after a specific period of time. Follow the steps below.
1. In the Times/Days field, specify when to allow or deny the service(s)
defined for this proxy rule. The format is fairly flexible. You must enter a
day of the week (or a range of days), followed by a time range (be sure
to either use military time OR include am or pm after each hour). You
may abbreviate the day, but do not use periods. You can include
multiple entries as long as they are separated by a comma and a space.
The following are examples of valid entries:
Mon-Fri 8am-5pm
Monday-Tuesday 8am-5pm, Friday noon-Sunday 8am
Thur 1200-1500, Sat 1800
8:00am-10:00pm Mon-Thur, 8:30am-5:30pm Fri
2. In the Rule Time To Live field, you can configure a proxy rule to be
temporary (that is, to expire after a specified time period). Select one of
the following three options:
No Expiration—Select this option if you do NOT want the proxy
rule to be temporary (that is, it will NOT expire). This is the default
value.
Offset—Select this option to specify a period of time that must
elapse, starting from the creation date of the rule, before the proxy
rule will expire (for example, two days, one week, three years).
When you select this option, the Disable Rule In field appears.
Select a time period from the drop-down list (Days, Hours, Minutes,
Months, Seconds, Weeks, or Years) and then specify the
appropriate number in the text box.
Date/Time—Select this option to specify an exact date and time
when the proxy rule will expire. When you select this option,
additional fields appear. In the Month, Day, and Year drop-down
lists, specify the date that you want the rule to expire. In the Time
drop-down lists, specify the exact time you want the rule to expire.

Figure 7-5. Proxy Rule:
Application Defense tab
Entering Application
Defense rule information
Creating proxy rules
The Application Defense tab is used to determine which Application
Defense (or group if you selected Service Group in the Service Type
field) will be used by a rule. Select one of the following options:
Note: Proxy rules that use Secure Web Application Defenses with the Decrypt Web
Traffic option enabled must have redirection configured.
Use the default Application Defense/Group—Select this option to use
the current default Application Defense group. The current default
Application Defense that will be used is displayed next to this
option. Ensure that this is the correct Application Defense Group
for this rule.
Select an Application Defense/Group—Select this option to select the
Application Defense (or group if you selected a service group in
the Service Type field) that you want to apply to this rule. Only
Application Defenses that are applicable to the type of rule you
are creating will appear in the table. For example, if you are
creating an HTTP rule, you will only see Web Application
Defenses in the table. To view the properties for a particular
defense, select the appropriate table row and click View.
To create a new Application Defense for this rule, click New. To
modify one of the existing Application Defenses, highlight the
appropriate table row and click Modify. (If you want to create a
new defense based on an existing defense, highlight the defense
and click Duplicate.) For information on creating or modifying an
Application Defense, see Chapter 6.
Creating Rules and Groups 7-11

Creating IP Filter rules
Creating IP Filter
rules
7-12 Creating Rules and Groups
To view the other areas where an Application Defense is used,
highlight that defense and click Usage.
Important: If the defense you want to modify is currently being used by other
rules, you will receive a pop-up window listing the areas where this defense is used
and asking you whether you want to continue modifying the defense. Click Yes to
modify the defense, or click No to return to the Application Defense tab without
modifying the defense.
This section provides information on creating IP Filter rules. To create
an IP Filter rule, follow the steps below.
Note: For overview information on IP Filter rules, see Chapter 4.
Important: IP Filter rules that you create will not be active until you place them in a rule
group that is part of the active IP Filter rules. For information on adding an IP Filter rule to a
rule group and ensuring that it is included in the active IP Filter rules, see “Creating and
managing rule groups” on page 7-19 and “Selecting your active policy rules” on page 7-22.
1. Using the Admin Console select Policy Configuration -> Rules. The Rules
window appears.
2. In the View Option field, select IP Filter Rules. The Rules window appears
with the IP Filter rules table displayed.
3. Click New -> IP Filter Rule and then select the type of IP Filter rule you
want to create:
TCP—Select this option to create an IP Filter rule specifically for the
TCP protocol.
UDP—Select this option to create an IP Filter rule specifically for
the UDP protocol.
ICMP—Select this option to create an IP Filter rule specifically for
the ICMP protocol.
Other—Select this option to create an IP Filter rule for protocols
other than TCP, UDP, and ICMP (such as AH).
Note: To modify an IP Filter rule, highlight the rule you want to modify, and click
Modify.
The IP Filter Rules window appears with the Rule tab displayed.

Figure 7-6. IP Filter Rules
window
Entering information on the
Rule tab
Creating IP Filter rules
To configure the Rules tab for an IP Filter rule, follow the steps below.
1. In the Name field, specify a name for the rule. Valid values include
alphanumeric characters, period (.), underscore (_), or hyphen (-). The
name cannot exceed 100 characters.
2. In the Protocol field, select the protocol type for the rule you are
creating. (If you selected TCP, UDP, or ICMP as the rule type, the Protocol
field will be automatically filled in for you.)
To create an IP Filter rule for a protocol that is not listed in the dropdown
list, manually type the protocol number in the Protocol field.
3. In the Action field, specify the action that should occur when a packet
matches this rule:
Allow—The packet will be translated or redirected, as defined in
the Source/Dest tab and will then continue regular kernel-level
processing.
Deny—The packet will be rejected without further filtering.
4. In the Control field, select Enable to enable the rule or Disable to disable
the rule. This allows you to temporarily disable a rule, if necessary,
without deleting it. Rules that are disabled will appear grayed out in the
main Rule window.
Creating Rules and Groups 7-13

Creating IP Filter rules
Figure 7-7. IP Filter Rules
Source/Dest tab
7-14 Creating Rules and Groups
5. In the Audit Level field, select the type of audit you want performed on
when a packet matches this rule.
None—No audit information will be recorded for this rule.
Informational—Select this option to generate errors, normal traffic,
and informational audit events for this rule.
Traffic—Select this option to generate normal traffic and error
audit events for this rule.
Errors Only—Select this option to generate only error audit events
for this rule. If you select this option, normal traffic will not be
logged. (This option increases performance and reduces the size
of audit logs.)
6. [Conditional] If you selected Informational for the audit level, in the
Audit Threshold field, specify the number of packets that will be allowed
by this rule before an audit record is generated. To disable auditing for
this IP Filter rule, set the value to zero (0).
7. [Optional] In the Description field, enter any useful information about
this IP Filter rule (for example, a brief description of the rule).
8. To configure the source and destination information for this IP Filter
rule, select the Source/Dest tab. The following window appears.

About the IP Filter Source/
Dest tab
Creating IP Filter rules
The Source/Dest tab is used to specify the source and destination
information, as well as NAT and redirection for this IP Filter rule.
Follow the steps below.
1. In the Direction field, specify which address can initiate a session by
selecting one of the following options:
Uni-directional: This option allows traffic to initiate only from the
source address.
Bi-directional: If stateful inspection is enabled for this rule, this
option allows traffic initiation from either source or destination
addresses.
Note: NAT and redirection are not allowed for bi-directional rules with stateful
inspection enabled.
2. In the Source Burb drop-down list, select the burb through which the
Sidewinder G2 should route to get to the source IP address.
3. In the Destination Burb drop-down list, select the burb through which
the Sidewinder G2 should route to get to the destination IP address.
4. In the Source Show drop-down list, select the type of network object or
group to use as the source object.
5. In the Source list that is displayed, select the source object to use for this
rule.
Note: If you need to create a network object for this rule, see step 8 below.
6. In the Destination Show drop-down list, select the type of network
object or group to use as the destination object.
7. In the Destination list that is displayed, select the destination object to
use for this rule.
Note: If you need to create a network object for this rule, see step 8 below.
8. [Optional] To create a network object for the source or destination, do
the following:
a. Click New. You will be prompted to select the type of object you
want to create.
b. Select the type of network object you want to create. The New
Network Object window appears.
c. Create the network object. When you click Add, you are returned to
the Source/Dest tab in the IP Filter Rule window.
Note: For information on creating a Network Object, see “Creating network objects”
on page 5-10.
Creating Rules and Groups 7-15

Creating IP Filter rules
7-16 Creating Rules and Groups
9. (TCP/UDP only) In the Source Port Range field, specify the range of ports
(inclusive) in which connections are allowed to be made to or initiated
from the corresponding address. Valid port ranges are 1–65535. To
specify “any port” leave the field blank.
10. (TCP/UDP only) In the Destination Port Range field, specify the range of
ports (inclusive) in which connections are allowed to be made to or
initiated from the corresponding address. Valid port ranges are
1–65535. To specify “any port” leave the field blank.
11. In the NAT Mode drop-down list, select one of the following options:
Note: NAT and redirection are not allowed for bi-directional rules with stateful
inspection enabled.
None—This option will disable NAT for this rule.
Normal—All packets that match this rule will be translated as
follows: the source address will be translated to the associated NAT
address, and the source port will be translated to a a port within
the NAT port range.
Source Port—All packets that match this rule will be translated as
follows: the source address will be translated to the associated NAT
address. The source port will not be translated.
Note: The Source Port option can only be selected for TCP/UDP rules that have
stateful inspection enabled.
12. In the NAT Address drop-down list, select the object (IP address, host, or
subnet) that will replace the original source address when it is
translated. (To filter the type of objects that appear in the list, select an
option from the Show drop-down list.)
Important: If you selected Source Port NAT in the previous step, you must specify
an alias IP address or a subnet that contains at least one alias IP address as the NAT
Address. If you specify an interface IP address or subnet that does not contain an alias
IP address, this rule will not pass traffic and audit will be generated.
13. In the Redirection Mode field, select one of the following options:
None—Select this option if you do not want to enable redirection.
Normal—Select this option to enable redirection.
14. In the Redirect Host drop-down list, select the IP address or subnet to
which the original destination should be redirected. (To filter the type of
objects that appear in the list, select an option from the Show dropdown
list.)
15. To configure the days and times that the IP Filter rule is enabled, select
the Time tab. The following window appears. (See

Figure 7-8. IP Filter Time
tab
Creating IP Filter rules
About the IP Filter Time tab This tab allows you to determine whether an IP Filter rule is
temporary and will expire after a specific period of time. Follow the
steps below.
1. In the Rule Time To Live area, specify whether this rule will expire
(become disabled). Select one of the following three options:
No Expiration—Select this option if you do NOT want the rule to
expire. This is the default value.
Offset—Select this option to specify a period of time that must
elapse, starting from the creation date of the rule, before the rule
will expire (for example, two days, one week, three years). When
you select this option, the Disable Rule In field appears. Select a
time period from the drop-down list (Seconds, Minutes, Hours,
Days, Weeks, Months, or Years) and then specify the appropriate
number in the text box.
Date/Time—Select this option to specify an exact date and time
when the rule will expire. When you select this option, additional
fields appear. In the Month, Day, and Year drop-down lists, specify
the date that you want the rule to expire. In the Time drop-down
lists, specify the exact time you want the rule to expire.
2. To configure advanced configuration information for this IP Filter rule,
select the Advanced tab. The following window appears. (See “About
the TCP/UDP IP Filter Advanced tab” below.)
Note: The Advanced tab is not available if you selected Other as the IP Filter rule
type.
Creating Rules and Groups 7-17

Creating IP Filter rules
Figure 7-9. IP Filter
Advanced tab
About the TCP/UDP IP Filter
Advanced tab
7-18 Creating Rules and Groups
The IP Filter Advanced tab for TCP/UDP rules allows you to configure
timeout information, stateful inspection, and control and error
responses for TCP or UDP packets. Follow the steps below.
Note: Stateful Packet Inspection is not currently supported for ICMP IP Filter rules in IPv4.
1. To enable stateful inspection for this rule, select the Stateful Packet
Inspection check box. You will not be able to configure other fields in
this tab without this option selected. To disable stateful packet
inspection, deselect the Stateful Packet Inspection check box.
2. [TCP only] In the Connection Timeout field, specify the amount of time
(in seconds) that a TCP session will wait for a connection to be
established once it is started. Valid values are 1–65535. (The minimum
value is one second.)
3. In the Idle Timeout field, specify the amount of time (in seconds) that a
session will remain open when there is no new traffic within an
established session. Valid values are 1–65535. (The minimum value is
one second.)
4. [TCP only] In the Limit Connection Rate area, you can limit the number
of connections that will be allowed per second by selecting Yes, and
entering the number of connections that you want allowed per second
in the Rate field. Valid values are 0—1000000000.
To disable connection rate limitations, select No.

Creating and
managing rule
groups
Creating and managing rule groups
5. [UDP only] In the Limit Packet Rate area, you can limit the number of
packets that will be allowed per second in either direction by selecting
Yes, and entering the number of packets that you want allowed per
second in the Rate field. Valid values are 0—1000000000.
To disable packet rate limitations, select No.
6. [Conditional] In the Stateful Session Failover field, select Yes to enable
stateful session sharing, or select No to disable stateful session sharing.
This field can only be modified if you are connected to an HA cluster.
(For more information on stateful session sharing, see “Sharing IP Filter
sessions in an HA cluster” on page 4-36.)
7. In the Allowed Control and Error Responses area, select the response
types that you want to allow for this rule by selecting the check box
next to each response type you want to allow. A check mark will appear
next to response types that are selected. To deselect a response type,
click the check box to clear it.
8. Click Add to save your changes, or click Cancel to reset the fields to the
values that were previously entered.
This section provides information on creating and managing your rule
groups. The process for creating and managing proxy groups and IP
Filter groups is essentially the same.
Creating a rule group
To create a rule group, follow the steps below.
1. Using the Admin Console, select Policy Configuration -> Rules. The Rules
window appears.
2. Select one of the following options in the View Option field:
To create a proxy rule group, select Proxy Rules. A list of existing
proxy rules and groups appears.
To create an IP Filter group, select IP Filter Rules. A list of existing IP
Filter rules and groups appears.
3. Click New and select Proxy Group or IP Filter Group, as appropriate. A
New Rule Group window appears prompting you to enter a name for
the new group.
Creating Rules and Groups 7-19

Creating and managing rule groups
7-20 Creating Rules and Groups
4. Enter a name that will help you identify the purpose of the rule group.
For example, a default proxy rule group called Administration contains
all of the rule associated with basic Sidewinder G2 administration.
Note: The InternetServices rule group is automatically created during initial
Sidewinder G2 configuration. However, the group is only active if you selected
Internet Services during your initial Sidewinder G2 configuration.
5. Click Add to add the rule group. An empty rule group with the name
you specified will appear in the appropriate rule table.
6. To add rules and nested rule groups to the rule group you created, see
“Managing rules and nested groups within a rule group” below.
Managing rules and nested groups within a rule group
When you create a new rule group, it will remain empty until you
populate it with rules and/or groups. To add or remove rules and
groups to an existing rule group, follow the steps below.
Note: The process is essentially the same regardless of whether you are managing a
proxy rule group or an IP Filter rule group.
1. Using the Admin Console, select Policy Configuration -> Rules. The Rules
window appears.
2. Select one of the following options in the View Option field:
To modify a proxy rule group, select Proxy Rules. A list of existing
proxy rules and groups appears.
To modify an IP Filter group, select IP Filter Rules. A list of existing IP
Filter rules and groups appears.
3. Double-click the rule group that you want to modify. (You can also
highlight the rule group you want to modify and click Modify.) A Modify
Groups window appears.

Figure 7-10. Modify
Groups window
About the Modify Groups
window
Creating and managing rule groups
This window allows you to determine which rules and nested groups
will be included in a particular rule group. It also allows you to
determine the order in which you organize those rules and nested
groups. The order of rules and nested groups within a rule group is
very important. (For information on organizing your rule groups, see
“Ordering proxy rules within a rule group” on page 4-5.)
The Available Rules and Groups table contains a list of the rules and
groups that are available to add to this rule group. The Assigned Rules
and Groups table contains a list of the rules and groups that are
currently assigned to this rule group. You can perform the following
actions within the Rule Group window:
Add a rule or nested group to the selected rule group—To add a rule or
nested group to a rule group, double-click the entry that you want
to add in the Available Rules and Groups table (or highlight the entry
and click the down arrow icon). The rule or group will be placed
in the Assigned Rules and Groups table.
Remove a rule or rule group from the selected rule group—To remove a
rule or group from a rule group, double-click the entry in the
Assigned Rules and Groups table (or highlight the entry and click the
up arrow icon). The rule or group will be removed from the
Assigned Rules and Groups table and placed in the Available Rules and
Groups table.
Creating Rules and Groups 7-21

Selecting your active policy rules
Selecting your
active policy rules
7-22 Creating Rules and Groups
Organize the assigned rules and groups within the selected rule group—
To organize the rules and groups in the Assigned Rules and
Groups table, click and drag each entry to the desired location. For
information on organizing your rule groups, see “Ordering proxy
rules within a rule group” on page 4-5.
Edit the description for a rule group—To edit the description for a rule
group, place your cursor in the Description field and add or modify
the text as needed.
Save the changes you made to the rule group—To save your changes,
click OK.
When you select rule groups in the Active Rules window (one for
proxy rules and one for IP Filter rules), they will begin actively
filtering traffic coming into and leaving the Sidewinder G2.
When you initially configure your Sidewinder G2, a default rule group
is automatically assigned as your active policy (the rules contained in
those groups will vary depending on the choices you made in the
Configuration Wizard). All rules and groups that you have created that
are not part of the active rules (that is, rules that are not included in
the active group, or in a rule group that is nested in the active group)
will remain inactive unless you add them to the active rule group or to
a group that is part of the active rule group.
You can modify your existing active rule group to add or delete rules
and/or nested rule groups as your security needs change. You can
also re-organize the rule group entries as needed. For a more detailed
overview of the active rules and how they work, see
Chapter 4.
Viewing the active policy
To view the active rules currently configured for your Sidewinder G2,
using the Admin Console select Policy Configuration -> Rules and then
click View Active Policy. The Active Rules window appears.

Figure 7-11. Active Rules
window
About the Active Rules
window
Selecting your active policy rules
This window allows you to view the active rules currently in use on
your Sidewinder G2. The active rules listed in each table consist of all
of the rules (including both individual rules and rules included in
nested groups) and determine the order in which traffic will be
processed. Which rules appear in each table are determined by the
rule group that is displayed in the Active Group field.
In this window, you can perform the following actions:
Select a new active rule group—To select a new active rule group that
will enforce traffic coming into and leaving the Sidewinder G2, see
“Modifying the active rule groups” on page 7-24. (The window is
similar for IP Filter and Proxy rule groups.)
View the IP Filter properties—To view the properties configured for
the IP Filter rules contained in the active IP Filter group, click the
IP Filter Properties button. The IP Filter General Rule Properties
window appears. See “About the IP Filter General Properties
window” on page 7-25.
Determine which group a rule belongs to—Rules that are part of a
nested rule group have a folder icon next to their name.
Creating Rules and Groups 7-23

Selecting your active policy rules
Figure 7-12. Rule Group
Select window
About the Rule Group
Select window
7-24 Creating Rules and Groups
Modifying the active rule groups
To modify the active rule groups that are currently enforcing your
policy, using the Admin Console select Policy Configuration -> Rules
and then click View Active Policy. Click the appropriate Set button (IP
Filter or Proxy). The Rule Group Select window appears.
This window allows you to select a new active policy for either IP
Filter or proxy rules. Before you select a new rule group to enforce
your security policy, ensure that the rule group you are specifying
contains all of the necessary rules and rule groups in the correct order.
When you select a new rule group in this window and save your
changes, the rules contained in that rule group will be loaded into the
Sidewinder G2 and will begin enforcing your policy.
To select a new rule group, click on the rule group that you want to
use to enforce your security policy and click OK. The new rules will
be loaded in the kernel and will use those rules to enforce your
policy.

Figure 7-13. IP Filter
General Properties
window
About the IP Filter General
Properties window
Selecting your active policy rules
Viewing and modifying general IP Filter properties
There are a number of IP Filter properties that affect all active IP Filter
rules. To view or modify these properties, in the Admin Console select
Policy Configuration -> Rules and then click View Active Policy -> IP Filter
Properties. The IP Filter General Properties window appears.
The IP Filter General Properties window allows you to specify basic
properties that apply to all IP Filter rules contained in the IP Filter
portion of the active policy. Follow the steps below.
1. In the Maximum TCP Sessions field, specify the maximum number of
TCP sessions allowed to use the IP Filter at one time. Valid values are
0–1000000.
2. In the Maximum UDP Sessions field, specify the maximum number of
UDP sessions allowed to use the IP Filter at one time. Valid values are
0–1000000.
3. In the Start of reserved ports field, specify the starting port that IP Filter
will reserve for its own use. Valid values are 1024–65533. The default is
38000.
4. In the Number of ports reserved for ipfilter field, specify the number of
ports IP Filter will reserve for its own use. Valid values are 1–64509. The
default is 200.
5. Click OK to save your changes, or click Cancel to reset the fields to the
values that were previously entered.
Creating Rules and Groups 7-25

Selecting your active policy rules
7-26 Creating Rules and Groups

C HAPTER 8
Configuring Proxies
About this chapter This chapter describes the various TCP- and UDP-based proxies on
Sidewinder G2. It also explains how to configure proxies to control
communication between systems on opposite sides of the Sidewinder
G2. This chapter covers the following topics:
“Proxy basics” on page 8-1
“Redirected proxy connections” on page 8-5
“Standard Sidewinder G2 proxies” on page 8-9
“Transparent & non-transparent proxies” on page 8-14
“Notes on selected proxy configurations” on page 8-15
“Configuring proxies” on page 8-28
“Setting up a new proxy” on page 8-31
Proxy basics A proxy is a program that controls communication between clients on
one side of a Sidewinder G2 and servers on the other side. That is, an
application client and application server on opposite sides of a
Sidewinder G2 do not communicate directly. Instead, the client and
server both “talk” to a proxy, which forwards the data back and forth.
Network applications are typically accessed using one of two lower
level communication protocols: TCP or UDP. TCP is a connectionbased
protocol that guarantees data is delivered in order and ensures
address and data integrity. UDP is a connectionless service that
delivers data with minimum overhead.
The Sidewinder G2 provides pre-defined TCP-based proxies for a
variety of Internet applications including Web, Telnet, FTP, and many
others. The Sidewinder G2 also supports proxies for routing UDP
transmissions for applications based on protocols such as SNMP and
NTP.
8
Configuring Proxies 8-1

8
Proxy basics
Figure 8-1. Example
Sidewinder G2 proxy
connection
8-2 Configuring Proxies
Important: There is a security risk involved with using UDP proxies. Unlike TCP, UDP
does not ensure address integrity. This makes it possible for a hacker to fake the source
address for some dubious purpose.
A proxy is not a server on your Sidewinder G2. Rather, a proxy
controls access to a server on the other side of your Sidewinder G2.
Also, a proxy can only access the kind of server that it represents. For
example, as shown in Figure 8-1, a Telnet proxy can access only
Telnet servers; it cannot access a Web Proxy server (or any other kind
of server).
Telnet client
internal
network
Telnet
proxy
Sidewinder
G2
external
network
Telnet server
Proxies can control connections between any two Type Enforced
network areas, regardless of whether the areas are internal or
external. The rules that you define in the active proxy rule group (see
Chapter 4) determine how the networks connected to the Sidewinder
G2 are allowed to communicate. The most common proxy directions,
internal burb-to-external burb and external burb-to-internal burb, are
explained below.
internal burb-to-external burb
The proxy connections you configure on the Sidewinder G2 will
typically be outbound (internal-to-external) connections. All data
packets traveling out through your Sidewinder G2 will appear to
come from the external address of your Sidewinder G2. That is,
the address of the network in the internal burb is not seen in the
packet information on the external burb.
external burb-to-internal burb
A proxy can also be set up for inbound (external-to-internal) connections.
In general, inbound proxies are not desirable for security
reasons (see the "Important" note below). There are, however, certain
configuration options you can use such as encryption, authentication,
and address or port redirection that make an inbound
proxy more secure. (These options are covered in more detail later
in this chapter.)

Proxy basics
Important: Network attacks using “sniffer” programs to steal users’ accounts and
passwords are becoming more frequent on the Internet. To prevent such intrusions,
you should use a strong authentication method (such as those described in Chapter
9) that prevent an attacker from gaining account information. However, attacks can
still use sniffers to compromise your data. By encrypting your network transmissions
and using proxy redirection, you can provide further defense against network attacks
(Strong Cryptography is a premium feature).
Configuring advanced proxy parameters on a per-rule
basis using Application Defenses
The Proxy window allows you to configure the basic proxy properties
and enable them in the appropriate burbs. Proxy rules allow you to
determine whether proxy access will be allowed or denied and under
what conditions. By adding Application Defenses to your rules, you
can specify advanced, application-specific proxy properties (such as
MIME/anti-virus filtering, SSL decryption, and timeout properties) on a
per-rule basis. For information on configuring Application Defenses
and rules for proxies, see Chapter 6 and Chapter 7.
Improving performance using Fast Path Sessions
The Sidewinder G2 supports a Fast Path Sessions option that improves
system performance by lessening the load placed on the system
kernel when passing proxy data through the Sidewinder G2.
Performance is improved on the Sidewinder G2 when the Fast Path
Sessions option is enabled for protocols that use many small packets,
such as Telnet.
The Fast Path Session option is configured in the Application
Defenses windows in the Connections area. Application Defenses can
be configured in advance and added to rules later, or they can be
created directly within a rule. For information on configuring Fast
Path Session options, see “Configuring connection properties” on
page 6-48.
Configuring Proxies 8-3

Proxy basics
8-4 Configuring Proxies
When to disable the Fast Path Sessions option
In most cases, the Fast Path Sessions option enhances system
performance, and in many of these cases the improvement is
significant. However, there are some cases where the Fast Path
Sessions option may negatively affect performance. Large data
transfers on heavily loaded systems, primarily FTP or HTTP traffic, can
overload a system. The Sidewinder G2 will also "throttle" these
connections under very heavy load conditions to prevent them from
taking over the system.
Proxy session limits
There is an upper limit to the number of simultaneous sessions for
certain proxy configurations. Table 8-1 provides a summary of hard
limits based on per-process resource limits.
Table 8-1. Proxy session limits (hard limits)
Proxy Session Limits
FTP 4000 sessions
t120 1000 sessions
all other TCP 8000 sessions 1
UDP The number of ports plus two times the number of sessions
must not exceed 16,000. (The maximum number of enabled
ports for all services on all burbs must not exceed 8000.)
1 A maximum of 16 Telnet sessions are allowed in the "enter destination" or
"authentication" stage.
Tip: Session limits for each proxy can be lowered from the hard limits by editing the
simultaneous_sessions entry in the configuration file (*.conf) for each proxy.

Redirected proxy
connections
Configuring multiple instances of certain proxies
Redirected proxy connections
Certain proxies (HTTP, HTTPS, generic TCP, and SQL) can be
configured to enable multiple instances of the same proxy in order to
load the traffic across the multiple instances. This is useful for
hardware configurations with multiple CPUs or sites that have
experienced problems due to an exceedingly large amount of
concurrent connections through one of those proxies. A single proxy
instance for any of these proxies can handle up to 8000 sessions (a
session consists of two connections for most protocols), which is
more than adequate for most sites. However, if your site is
consistently recording concurrent sessions that hover around the 8000
range (or if you have experienced problems because the number of
connection attempts is significantly higher) for any of these proxies,
you may need to enable additional instances for that proxy.
To monitor the number of concurrent connections for any of the
proxies listed above, in the Admin Console select Reports & Monitoring
-> Firewall Monitoring. (You will be required to log in a second time to
view the Firewall Monitoring application.) The lower right portion of
the Firewall Monitoring window contains a section titled Proxy Traffic.
In that portion of the window, you will see a list of all proxies and
servers that are currently running, with the current number of
connections that exist for that proxy.
For information on configuring the HTTP, HTTPS, or SQL proxy to
enable multiple instances, see “Configuring proxy properties” on page
8-28.
For typical Sidewinder G2 operation, proxies are configured to permit
connections from the internal network to the Internet. However, there
may be circumstances in which you want to allow an external client
access to hosts within your internal network (behind the Sidewinder
G2). For example, you may want to provide access to an internal
Telnet server or you may want a server inside your internal network
to be able to receive news feeds from an Internet news feeder.
Configuring Proxies 8-5

Redirected proxy connections
8-6 Configuring Proxies
You can set up proxy rules to redirect a connection between an
external client and the external side of the Sidewinder G2 to a system
inside your network. This rerouted connection to the internal host
system hides the actual destination from the system requesting the
connection. You can configure Sidewinder G2 proxy rules to translate
connection requests to different addresses or to different ports within
the internal network.
The address or port translation provided by redirection is usually
needed when enabling proxying from the external network to the
internal network. The following section provides examples of both
address and port redirection as supported by the Sidewinder G2.
Important: All proxies pose a security risk. As with any external-to-internal proxy, while
you can guarantee the integrity of the Sidewinder G2, you cannot guarantee the integrity
of the system for which an external user will have access. For the rare occasion where you
configure an inbound proxy, you should always use a strong authentication method.
Address redirection
If you need to configure a proxy that allows access to the internal
network, but do not want to provide routes to the internal network
you will need to configure the Sidewinder G2 for address redirection.
Address redirection is implemented in the Source/Dest tab of the Rule
window on a per-rule basis. See Chapter 7 for information on
configuring address redirection.
In the configuration shown in Figure 8-2, suppose you want to allow
any host in the Internet to Telnet to host 172.25.5.5 on the internal
network.

Figure 8-2. Address
redirection for inbound
proxy
Telnet server
172.25.5.5
internal
network
redirect
Sidewinder
G2
The Sidewinder G2 proxy redirects
(remaps) the Telnet session to address
172.25.5.5 (but the address is
concealed from the external network)
external
network
192.55.214.24
Redirected proxy connections
Telnet client
192.55.214.25
The client can access the internal
server, but must use the Sidewinder
G2 external address in the Telnet
request
With redirection configured, the connection is proxied to an address
that is different from the original destination address. In Figure 8-2, a
connection request from Internet address 192.55.214.25 is proxied to
the external side of the Sidewinder G2 (192.55.214.24). The proxy
then redirects the connection to 172.25.5.5 and proxies the session to
the internal host. From the external system’s point of view, the
destination is 192.55.214.24, when in fact, the destination is really
172.25.5.5.
Address redirection can also be applied to solve more complicated
problems. Suppose you want to allow inbound Telnet connections to
three different hosts on your internal network. If you configure your
router to route multiple addresses to the Sidewinder G2, it can then
accept the connections and proxy them through to hosts on the
internal network. Redirected proxy connections provide the address
translation between IP addresses which are valid and routed on the
Internet and private IP addresses on the corporate network. So if you
want to redirect all incoming connections to one of three hosts, then
you must reserve three IP addresses for your Sidewinder G2, or use
netmaps. (For information on using netmaps, see “Network objects”
on page 4-9.)
Note: To avoid using multiple Sidewinder G2 addresses in this scenario, you could set up
port redirection rather than address redirection (described in the following section).
Configuring Proxies 8-7

Redirected proxy connections
Figure 8-3. Port
redirection for inbound
proxy
8-8 Configuring Proxies
Port redirection
If you need to work around site-specific idiosyncrasies or to obscure
the existence of a proxy for a given service, you can use port
redirection. While such obscurity does not lessen the vulnerability
resulting from something like an inbound Telnet proxy, it does reduce
the number of attacks because the casual attacker might not notice it.
Also, the attacker must take more conspicuous actions, like port
scanning, to find the entry point. This makes it more likely that the
administrator will notice the attack. Port redirection is implemented in
the Source/Dest tab of the Rule window on a per-rule basis. See
Chapter 7 for information on configuring port redirection.
As an example, in Figure 8-3, suppose you want to configure a new
proxy for an internal host that will provide Telnet service and accept
external connections. In this configuration, a proxy connection arrives
from the external network and connects to the external side of the
Sidewinder G2. The connection arrives on the port named “hidenet”
(port 5111). When this connection comes in, it will be proxied to the
internal network, similar to how an address redirection is handled.
Telnet server
192.55.4.4
Telnet port 23
internal
network
redirect
192.55.214.24
Sidewinder
G2
external
network
hidenet port 5111
client Telnets
to port 5111 on
the Sidewinder
172.16.4.4
The proxy redirects (remaps) the
Telnet session to port 23 (but the
port is concealed from the
external network)
The difference here is that the client on the external network connects
to port 5111 (hidenet) on the Sidewinder G2 and the Sidewinder G2
connects the client to port 23 (the standard Telnet port) on 192.55.4.4
host in the internal network. This permits an inbound Telnet
connection to a host with a private IP address and does so on a port
number that is not well-known for this service. This discourages socalled
‘‘door-knob rattlers.”

Standard
Sidewinder G2
proxies
Proxy Name Type and Port Description
aol TCP
5190
changepw-form TCP
1999
dns DNS
53
finger TCP
79
ftp TCP
21
gopher TCP
70
h.323 TCP/UDP
1720
http TCP
80
Standard Sidewinder G2 proxies
The Sidewinder G2 provides a variety of pre-defined proxies to
control connections to popular Internet services using the standard
port numbers for those services (see /etc/services for a list of
recognized protocols). Table 8-1 shows an alphabetical listing of the
proxies that are preconfigured and can be quickly enabled using the
Admin Console. To set up other proxies, see “Using other proxies on
the Sidewinder G2” on page 8-13.
During system installation, if you selected Standard Internet services,
the proxies listed in bold are automatically enabled for internal
network-to-external network, and corresponding proxy rules are
added to the default active rule group.
Table 8-2. Proxies initially configured on the Sidewinder G2
Allows America Online (AOL) members in your network to run their AOL
client software and connect directly to America Online through the
Sidewinder G2.
Allows users to change their network login password for Web, Telnet, and
FTP sessions.
Enables DNS query traffic and DNS zone file transfers to cross burb
boundaries.
Enables the UNIX finger command to be used across burb boundaries.
Allows users on one side of the Sidewinder G2 transparent access to FTP
(File Transfer Protocol) servers on the other side of the Sidewinder G2.
Allows internal users to use a Gopher client to access information on
Internet Gopher servers.
Allows users to use audio and video features for H.323 applications such as
Microsoft’s NetMeeting application. See “T.120 and H.323 proxy
considerations” on page 8-22.
Allows internal users to use a Web client, such as Netscape or Internet
Explorer, to access Web sites on the Internet via transparent or nontransparent
connections. See Chapter 12 for more information.
More . . .
Configuring Proxies 8-9

Standard Sidewinder G2 proxies
Proxy Name Type and Port Description
https TCP
443
ica TCP 1494
UDP 1604
ident TCP
113
iiop TCP
683
imap TCP
143
irc TCP
6667
ldap TCP
389
lotus TCP
1352
msn TCP
569
mssql TCP
1433
netbios-tcp TCP
139
8-10 Configuring Proxies
Allows Secure Socket Layer (SSL) encrypted connections to Web servers
such as the Netscape Commerce Server (optional). For Web software that
supports SSL, such as Netscape’s browser and the Commerce Server, this
proxy permits a more secure Web connection. This proxy can be
configured to handle decryption.
Allows users to locate and connect to a Citrix server farm within a private
address space.
Note: If you are using Citrix XML Service, to locate the master browser you will
need to enable the HTTP proxy on the port that the Citrix server is configured to
use.
Note: For information on using the altaddr feature on your Citrix server
farm, refer to your Citrix documentation.
Allows users to use the UNIX ident command.
The Internet Inter-ORB Protocol (IIOP) is the wire protocol used by CORBA
(Common Objects Request Broker Architecture) applications to
interoperate in a heterogeneous network environment. The IIOP proxy
allows the Sidewinder G2 administrator to exercise control over the
dialogue between the CORBA applications.
Note: For more information on CORBA, refer to www.omg.org.
Allows use of the Internet Message Access Protocol to access e-mail from a
local server.
Allows your users to chat with other users via the Internet Relay Chat
protocol.
Allows the LDAP protocol through the Sidewinder G2.
Allows use of Lotus Notes applications across burb boundaries.
Allows Microsoft network members in your network to run their MSN client
software and connect directly to MSN through the Sidewinder G2.
Generic Microsoft SQL proxy.
Generic netbios TCP proxy.
More . . .

Proxy Name Type and Port Description
netbios-udp 137, 138 Generic netbios UDP proxy.
nntp TCP
119
nt_ftp TCP
21
nt_telnet TCP
23
ntp UDP
123
ping ICMP
(na)
pop TCP
110
printer TCP
515
RealMedia TCP/UDP
7070
rlogin TCP
513
rsh TCP
514
rtsp TCP/UDP
554
smtp TCP
25
Standard Sidewinder G2 proxies
Allows your internal users to access Usenet News received at your site and
post information to newsgroups. See “Usenet News proxy configurations”
on page 8-19 later in this chapter for information on Usenet News proxy
configurations.
Allows users on one side of the Sidewinder G2 non-transparent access to
FTP (File Transfer Protocol) servers on the other side of the Sidewinder G2.
See “Transparent & non-transparent proxies” on page 8-14 for the
difference between transparent and non-transparent proxies.
Allows users on one side of your Sidewinder G2 non-transparent access to
Telnet servers on the other side of your Sidewinder G2. See “Transparent &
non-transparent proxies” on page 8-14 for the difference between
transparent and non-transparent proxies.
Allows you to send/receive Network Time Protocol (NTP) time feeds.
Relays ICMP ECHO (ping) requests and ICMP Echo-REPLY messages
through the Sidewinder G2.
Allows connections to Post Office Protocol (POP) remote mail servers.
Allows use of the UNIX lpr command.
Allows the Sidewinder G2 to proxy audio and video data packet
connections.
Allows users on one side of your the Sidewinder G2 access to rlogin servers
on the other side of the Sidewinder G2.
Supports rcp and rsh.
Supports Real Media Player and Quick Time Multimedia Player protocols.
Allows Simple Mail Transfer Protocol traffic to be sent across burb
boundaries. (This proxy is automatically enabled if you selected transparent
SMTP service during configuration.)
More . . .
Configuring Proxies 8-11

Standard Sidewinder G2 proxies
Proxy Name Type and Port Description
snmp UDP
161-162
socks5 TCP
1080
sql TCP
1521
ssh TCP
22
streamworks TCP
1558
sunrpc TCP/UDP
111
sybase TCP
4000
syslog UDP
514
t120 TCP
1503
telnet TCP
23
wais TCP
210
whois TCP
43
wins UDP
42
8-12 Configuring Proxies
Supports remote management using SNMP protocol.
Note: The SNMP proxy must be enabled in both the source and destination
burb.
Supports the SOCKS5 protocol.
Allows Structured Query Language database lookup requests across burb
boundaries.
Allows use of the UNIX Secure Shell command, which provides secure
access to remote systems.
Supports Streamworks streaming audio and video.
Relays requests from an RPC client through the Sidewinder G2 to a remote
server.
Generic Sybase SQL proxy.
Generic UNIX syslog protocol.
Allows users to use T.120 applications such as Microsoft’s NetMeeting
application. “T.120 and H.323 proxy considerations” on page 8-22.
Allows users on one side of your Sidewinder G2 transparent access to
Telnet servers on the other side of your Sidewinder G2.
Allows users on your network with WAIS client software connections to a
database service called WAIS.
Allows users to send the UNIX whois command from a terminal. whois
looks up records in the Network Information Center.
Supports Microsoft Windows Network Services.
More . . .

Proxy Name Type and Port Description
Xscreen0 TCP
6000
X500 TCP
103
Using other proxies on the Sidewinder G2
Standard Sidewinder G2 proxies
Allows UNIX-based X Windows sessions to pass through the Sidewinder
G2. For instance, an X Windows process running on one terminal could
send screen output through the Sidewinder G2 to another window at a
different terminal.
Note: While redirecting X Windows is a common practice at larger UNIX sites
with X Windows environments, X Windows is NOT a secure application. Using this
proxy strictly for sending X Windows traffic through the Sidewinder G2 is not
recommended for most sites. However, if the Sidewinder G2 has been configured
as a Sidewinder G2 between two networks, both of which are within your
organization (sometimes called “inter-walling”), the Xscreen0 proxy might not
pose serious security hazards. This depends on the nature of the site’s two
networks.
Supports the X500 directory server.
In special cases, you may want to set up a UDP proxy or a TCP proxy
service that is not preconfigured when you install the Sidewinder G2.
The Sidewinder G2 contains a special domain called Genx that can be
used for TCP proxies other than the ones that are initially set up on
the Sidewinder G2. A special domain called UDPx can be used for
UDP proxies.
If you set up more than one of your own proxies, they will not be
isolated from each other using Type Enforcement since they are all
contained in one domain (Genx for TCP and UDPx for UDP).
However, proxies you add are still isolated from all other domains
and cannot interfere with any other Sidewinder G2 activity.
Tip: To set up additional proxies using the Admin Console, refer to “Setting up a new
proxy” on page 8-31.
Important: If you set up your own proxies or reconfigure established proxies, do not use
ports 9000–9010. These ports are reserved by the Sidewinder G2 for administration
purposes.
Configuring Proxies 8-13

Transparent & non-transparent proxies
Transparent &
non-transparent
proxies
8-14 Configuring Proxies
The Sidewinder G2 FTP, HTTP, HTTPS, and Telnet proxies can be
configured to be transparent or non-transparent to users.
Transparency for the HTTP and HTTPS proxies is configured on a perrule
basis via Application Defenses. Transparency for FTP and Telnet
is determined by two distinct proxies that can be enabled and
specified in your active rules (telnet and nt_telnet, ftp and nt_ftp).
When using transparent proxy settings, the user appears to connect
directly to the desired network’s FTP, HTTP, HTTPS, or Telnet proxy
without connecting to the Sidewinder G2 first.
For example, to initiate an outbound Telnet session using a
transparent Telnet proxy, a user would issue the following command
from his or her workstation:
telnet destination_IP_address
With a non-transparent Telnet proxy, a user must first Telnet to the
Sidewinder G2 and specify a destination address for the Telnet
session. For example, the following shows how an internal user
would initiate a Telnet session to a server in an external network
using a non-transparent proxy that requires standard password
authentication.
>telnet internal_IP_address
(connection message from the Sidewinder G2 appears...)
>Enter destination: destination_address
>Username: username
>Password: password
(connection message from the destination Telnet server appears...)
>login: username
>Password: password
While non-transparent proxy configurations are not typically used,
they may be useful under special circumstances. For example, if your
internal network is experiencing problems resolving routes or names,
non-transparent proxy configurations may be used as a temporary
measure to allow FTP, HTTP, HTTPS, or Telnet sessions.

Notes on selected
proxy
configurations
Notes on selected proxy configurations
You may also need to use non-transparent proxy configurations for
outgoing connections if you configure the Sidewinder G2 to trigger an
alarm event when external addresses are detected on the internal side
of the Sidewinder G2. (For information on alarm events, see Chapter
17.) For incoming connections, you may need to use non-transparent
proxy configurations if the internal network is not visible to the
external side and redirection to a single internal machine is
undesirable.
Note: Certain transparent and non-transparent proxy configurations can require users to
authenticate before they are allowed to connect (see Chapter 9).
This section provides additional configuration information on some of
the more common proxy configurations that you can use at your site.
Telnet (page 8-15)
FTP (page 8-17)
HTTP/HTTPS (page 8-18)
ICA (page 8-18)
Sun RPC (page 8-19)
NNTP (page 8-19)
T.120 and H.323 (page 8-22)
generic TCP (page 8-26)
DNS (page 8-27)
Notes on using the Telnet proxy
The Sidewinder G2 provides a Telnet proxy that allows your trusted
users to remotely log in to Internet systems using a Telnet client.
When the proxy software is enabled, users can Telnet to any available
Internet site, and the connections will be routed through the
Sidewinder G2 without users being aware of it. You can control which
systems on your trusted networks can use Telnet and prohibit users
from accessing specified external addresses.
Configuring Proxies 8-15

Notes on selected proxy configurations
8-16 Configuring Proxies
Systems that users log in to must be running a Telnet server in order
to establish the connection. To make the Telnet connection, users
must run a Telnet client and specify the name of the remote system
they want to access. Users accessing a Telnet server must also have
accounts on that system. Once the session is established, the user is
logged in on the remote system as if he or she were a local user.
Important: Using the Admin Console, you can also set up a Telnet proxy from the
external burb to an internal burb on your Sidewinder G2. This is only required in specialized
cases. For example, if you are using a strong authentication method to authenticate Telnet
sessions, you may want to allow administrators to remotely access a server inside your
network. Before setting up this type of proxy, you may want to contact Secure Computing
to get assistance addressing any security issues this presents.
Note: If an Internet Telnet server is not available when a trusted user tries to connect, the
user will NOT receive a message stating that the connection was unsuccessful.
The following steps summarize the tasks you need to perform to set
up Telnet access for internal users.
1. Enable the Telnet proxy for the appropriate burb(s). (See “Configuring
proxies” on page 8-28.) The Telnet proxy runs in its own domain on the
Sidewinder G2.
2. Ensure that the Internet Services proxy rule is enabled and is contained
in the active rule group. The Internet Services proxy rule consists of a
service group that contains Telnet as well as other Internet services.
(You can also create an individual telnet_out rule if you want to
configure authentication specifically for Telnet.) See “Creating proxy
rules” on page 7-4.
This rule allows users from one of your trusted burbs to Telnet to the
Internet. You can use the Admin Console to disable this proxy rule or
change its settings to control which internal users are allowed Telnet
access and to which external systems they can connect. See “Users and
user groups” on page 4-8 for detailed information.
3. [Optional] Configure the Sidewinder G2 to authenticate all users
requesting Telnet service before the Sidewinder G2 makes the network
connection. Refer to Chapter 9 for details on the authentication
methods supported by the Sidewinder G2.

Notes on using the FTP proxy
Notes on selected proxy configurations
The FTP proxy allows internal users to use an FTP client to remotely
log in to Internet systems. Systems that users log in to must be
running an FTP server in order to establish the connection. To make
the FTP connection, users must run an FTP client and specify the
name of the remote system they want to access.
Note: If an Internet FTP server is not available when an internal user tries to connect, the
user will NOT receive a message stating that the connection was unsuccessful.
The following steps summarize the tasks you need to perform to set
up FTP access for internal users.
1. Enable the FTP proxy for the appropriate burb(s). (See “Configuring
proxies” on page 8-28.) The FTP proxy runs in its own domain on the
Sidewinder G2.
2. Ensure that the Internet Services proxy rule is enabled and is contained
in the active rule group. The Internet Services proxy rule consists of a
service group that contains FTP as well as other Internet services. (You
can also create an individual ftp_out rule if you want to configure
authentication specifically for FTP.) See “Creating proxy rules” on page 7-
4.
Once you enable the FTP proxy, this rule will allow all internal users FTP
access to the Internet. You can use the Admin Console to disable this
proxy rule or change its settings to control which internal users are
allowed FTP access and to which external systems they can connect.
See “Users and user groups” on page 4-8 for detailed information.
3. [Optional] Create a rule that requires authentication for all users
requesting FTP service before the Sidewinder G2 makes the network
connection. Refer to Chapter 9 for details on the authentication
methods supported by the Sidewinder G2.
Note: You can configure advanced parameters (such as FTP permits) for the FTP
proxy on a per rule basis using Application Defenses. For information on creating FTP
Application Defenses, see “Creating FTP Application Defenses” on page 6-33.
Configuring Proxies 8-17

Notes on selected proxy configurations
8-18 Configuring Proxies
HTTP/HTTPS considerations
The HTTP and HTTPS proxies allows you to configure Web access
(including authentication) for trusted and untrusted users. You can
configure header filtering, URL controls, MIME/anti-virus filtering, and
types of Web content (objects) that will be denied on a per-rule basis
using Application Defenses. Additionally, using HTTPS you can also
configure SSL decryption and clientless VPN services. For more
information on the HTTP/HTTPS proxies, see Chapter 12. For
information on creating Application Defenses for the HTTP/HTTPS
proxies, see “Creating Web or Secure Web Application Defenses” on
page 6-4.
Note: If your site requires caching services, you can use the Web proxy server. The Web
proxy server is implemented using Squid, an open source software program that provides
proxying and caching capabilities. The Web proxy server is described in Chapter 12.
ICA proxy considerations
The ICA proxy allows you to utilize the Citrix Independent Computing
Architecture (ICA) protocol to allow remote clients to access
applications within a Citrix server farm. You may locate these
applications either by configuring your client directly, or by pointing it
to a master browser. A master browser is a Citrix server that is
configured to be responsible for tracking the ICA functions that are
available for clients to access, such as applications or other Citrix
servers (known as member browsers).
For information on configuring the ICA proxy, see “Configuring
proxies” on page 8-28
Note: You can configure advanced parameters (such as timeout properties) for the ICA
proxy on a per rule basis using Application Defenses. For information on creating
Application Defenses for the ICA proxy, see “Creating Citrix Application Defenses” on page
6-31.
Note: Refer to your Citrix documentation for information on configuring your master
browser and member browsers.

Sun RPC proxy considerations
Notes on selected proxy configurations
The RPC proxy allows you to transfer Sun RPC traffic between a client
application and an RPC server on opposite sides of the Sidewinder
G2. This proxy listens on port 111 (the portmap process) for RPC
requests and forwards them to the destination server.
Both TCP and UDP traffic are supported for this proxy. However,
some additional configuration may be necessary for timeout
processing when proxying UDP traffic. UDP sessions remain live until
the idle timeout threshold is met. Therefore, a session with a timeout
value of 30 seconds will remain live for 30 seconds even though the
session may have only required two seconds of processing time.
Connection properties for the Sun RPC proxy are configured via
Standard Application Defenses. See “Creating Standard Application
Defenses” on page 6-45.
Usenet News proxy configurations
Sidewinder G2 supports a Network News Transfer Protocol (NNTP)
proxy that allows you to use a Usenet News server at your site. This
allows your site to exchange news with an Internet News provider.
(Sidewinder G2 does not run a news server because of the large
amount of disk space required.)
When you set up a news server at your site, that system must run a
Usenet News package such as C-News/NNTP or InterNet News (INN).
You must arrange for a news “feed” from the site responsible for
transferring news to/from your site. In addition, you need to provide
internal users with software that allows them to access the news that
your site receives and post their own articles to newsgroups.
Before you configure a proxy rule for Usenet News proxies, you must
specify which network objects the news information can be
transferred to and from. For information on network objects, see
“Creating network objects” on page 5-10.
Note: You cannot use the Sidewinder G2 to control which newsgroups your internal users
can subscribe or post to—that must be configured in the Usenet News software.
Configuring Proxies 8-19

Notes on selected proxy configurations
Figure 8-4. News server
in front of the Sidewinder
G2
8-20 Configuring Proxies
Whether you need Usenet News proxies in one direction or two will
depend on your server configuration, as described below. Normally
you will use the NNTP proxy so that news can be transferred only to
and from your feed site.
News server configurations
You have several options for configuring a Usenet News server when
you use the Sidewinder G2 in your network. Two common
configurations are listed below, along with issues to consider with
each.
News server in front of the Sidewinder G2
In this configuration, your news server is placed in front of the
Sidewinder G2. The external server could be operated by your
Internet service provider (ISP) or by your site. This configuration
assumes that news access only via NNTP is allowed, which is typical
(rather than through NFS or a local filesystem).
news client
internal
network
news
proxy
Sidewinder
G2
external
network
news server
In Figure 8-4:
— An internal-to-external proxy is required to allow internal
users access to the news server. An external-to-internal news
proxy is not necessary.
— Your router should be used to limit access so that only your
news feed site can access the news server from the Internet.
News server behind the Sidewinder G2
In this configuration, your news server is behind the Sidewinder
G2 on your internal network.

Figure 8-5. News server
behind the Sidewinder
G2
news client
news server
internal
network
Notes on selected proxy configurations
Sidewinder
G2
external
network
news feed
In Figure 8-5:
— Your feed site must send news through the Sidewinder G2.
The Sidewinder G2 forces the connection to go to the server
you designate as your internal news server.
— If the NNTP daemon on your news server is compromised, an
attacker may have full access to the internal network.
— This configuration normally requires a news proxy for each
direction as follows: An internal-to-external proxy must be
enabled to allow your news server to send information to the
feed site. A second proxy allows the feed site to send news to
the internal server. The connection in both directions is
handled through the Sidewinder G2. If your internal news
server’s address was visible to the Internet, you could set up
an external-to-internal proxy from your feed site to your news
server. This is usually not the case, since you normally do not
want internal addresses to be visible on the Internet.
Note: If you set up the news feed using the NNTP “pull” model, you will only need an
internal-to-external proxy. (For more information, see Managing UUCP and Usenet,
published by O’Reilly & Associates, Inc.)
— Instead of a standard external-to-internal proxy, you set up an
external-to-internal news proxy using port or address
redirection. Redirecting a proxy allows you to reroute a
connection to a specific host system using the same or
different port number as the original connection request.
When you set up a proxy redirection for news, you allow a
connection between your feed site and the Sidewinder G2,
then provide the address of your internal news server to the
Sidewinder G2 so it will reroute the proxy to that server.
Important: If your news server is behind the Sidewinder G2, refer to “Redirected
proxy connections” on page 8-5 for additional information.
Configuring Proxies 8-21

Notes on selected proxy configurations
8-22 Configuring Proxies
T.120 and H.323 proxy considerations
The T.120 and H.323 proxies can be configured to work together,
allowing you to make use of both the data-sharing and audio/video
features of data conferencing products, such as Microsoft NetMeeting,
in a single conference. This section provides an overview of each
proxy and its role in data conferencing. It also provides information
on configuring the two proxies to work together to enable the
complete realm of NetMeeting features.
About the T.120 proxy
The T.120 proxy provides support for applications built using the
International Telecommunication Union (ITU) T.120
recommendations. The T.120 recommendations are most prevalent in
data conferencing applications. T.120 defines several standardized
data conferencing services including application sharing, text chat,
shared whiteboard, and multipoint file transfer.
Microsoft’s NetMeeting is a popular example of a T.120 enabled
application. The T.120 proxy enables you to use all of the standard
T.120 data conferencing services, and provides you with a means to
control which services are accessible. The T.120 proxy also provides
support for the Microsoft NetMeeting chat and application sharing,
which are non-standard T.120 application services.
Note: The audio, video, ILS, and ULS features of NetMeeting are not supported by the
T.120 proxy. To provide support for these features, you must enable the H.323 proxy. You
must also add the pre-configured NetMeeting proxy rule to the active proxy rule group.
This will ensure that both proxies remain in synchronization with one another. See
“Synchronizing the T.120 and H.323 proxies for use with NetMeeting” on page 8-25 for
more information.
When configured, the T.120 proxy is transparent to the participants of
the data conference. The T.120 proxy will come into play when a
conference participant attempts to join an existing conference or
attempts to invite another participant that resides in a different burb.
The T.120 proxy will intercept and mediate the session between the
pair of conference host machines (referred to as "nodes" in T.120
parlance).

Notes on selected proxy configurations
T.120 conferences are arranged into a hierarchy of nodes. The
placement of the Sidewinder G2 with respect to the nodes in the
conference affects how many sessions are created through the proxy
and the communication path of the conference data. When a first
conference participant joins a conference in a different burb, a T.120
session will be created between the participant's node and the
contacted node. If a second conference participant attempts to contact
the new conference node, a separate session will be created.
The preconfigured NetMeeting proxy rule (when added to the active
rule group) will apply to each participant’s respective node IP
address. On the other hand, if the second participant contacts the first
participant and asks to join the conference, the same session through
the proxy will be used. The NetMeeting proxy rule, which applies to
the first participant’s node will also apply to this session.
The T.120 proxy is configured to use port 1503 by default. This can be
changed as described in “Configuring proxies” on page 8-28.
About the H.323 proxy
H.323 is an International Telecommunications Union (ITU) standard
that provides support for audio and video conferencing across a
shared medium such as the Internet. The H.323 proxy provides for
safe transfer of packets between burbs, standard functions such as
filtering on source and destination hosts and burbs, and NAT and
redirection. The H.323 proxy is a protocol-aware, application layer
proxy that examines H.323 packets for correctness and adherence to
site security policy. In addition to the standard filtering mentioned
above, the H.323 proxy provides a mechanism for allowing or
disallowing certain codecs (audio or video encoding schemes) within
the H.323 protocol. (See the H.323 permissions discussion in “Creating
proxy rules” on page 7-4.)
Microsoft NetMeeting is a popular implementation of the H.323
protocol. The H.323 proxy enables you to use the audio and video
features of data conferencing products, such as NetMeeting.
Note: The standard data conferencing features, as well as the chat and application
sharing features of NetMeeting are not supported by the H.323 proxy. To provide support
for these features, you must also enable the T.120 proxy. You must also add the preconfigured
NetMeeting proxy rule to the active proxy rule group. This will ensure that both
proxies remain in synchronization with one another. See “Synchronizing the T.120 and
H.323 proxies for use with NetMeeting” on page 8-25 for more information.
Configuring Proxies 8-23

Notes on selected proxy configurations
8-24 Configuring Proxies
The H.323 proxy can function between two endpoints (a single client
implementation such as NetMeeting), or between one or more
endpoints and a Multi-point Control Unit (MCU). The MCU enables
two or more endpoints to simultaneously participate in a call. Each
endpoint sends its audio and video signals through the Sidewinder G2
to the MCU. The MCU then combines the audio signals and selects
one or more video signals to return to each endpoint.
Note: The H.323 proxy does not recognize any configuration difference between an
endpoint and an MCU.
At this time, the H.323 proxy will not communicate with an H.323
gatekeeper. A gatekeeper is an entity, not unlike a Sidewinder G2,
which sits between the source and destination endpoints, and
typically provides services such as authentication, authorization, alias
resolution, billing, and call routing. If there is a gatekeeper between
the Sidewinder G2 and the source or destination endpoint, and the
endpoint is configured to use the gatekeeper, the conference will not
be possible.
The H.323 proxy must examine the contents of the protocol packets
for encoded addresses and port numbers. Therefore, any sort of
encryption of H.323 sessions is not possible in conjunction with the
proxy. When implementing the H.323 protocol, you must disable
NetMeeting's security features, or the security features of any other
endpoint or MCU you may be using. Additionally, you must not route
H.323 traffic through a virtual private network (VPN).
Also, any calls originating from the outside network and destined for a
host on the internal network may be configured to use the netmaps
feature. (For information on using netmaps, see “Configuring
netmaps” on page 5-16.) This provides a form of redirection that
allows you to hide a group of addresses behind the Sidewinder G2
while still allowing the inbound caller to reach the proper destination
machine.

Notes on selected proxy configurations
Synchronizing the T.120 and H.323 proxies for use with NetMeeting
The T.120 and H.323 proxies can work together, allowing you to
make use of both the data-sharing and audio/video features of
NetMeeting in a single conference as follows:
The T.120 proxy enables you to use all of the standard T.120 data
conferencing services, and provides you with a means to control
which services are accessible. The T.120 proxy also provides
support for the Microsoft NetMeeting chat and application sharing,
which are non-standard T.120 application services.
The H.323 proxy provides support for the audio and video
features of NetMeeting.
To make use of both the data-sharing and audio/video features of
NetMeeting in a single conference, you must ensure that both the
T.120 and H.323 proxies are enabled in the same burbs. This is
necessary because for a single NetMeeting session, part of the traffic
(the H.323 portion) is routed through the H.323 proxy, and part of the
traffic (the T.120 portion) is routed through the T.120 proxy. If the
H.323 and T.120 proxy configurations are out of synchronization, it is
likely that NetMeeting conferences will not function correctly or
completely (for example, audio and video work, but data-sharing
does not work).
To prevent the two proxies from becoming out of synchronization,
you can add the pre-configured NetMeeting proxy rule to your active
rule group. (See “Creating and managing rule groups” on page 7-19.)
The NetMeeting proxy rule allows access to both the T.120 and H.323
proxies (using the pre-configured NetMeeting Service Group), and
allows access to all available NetMeeting features.
You can modify the NetMeeting proxy rule as needed or create your
own proxy rules to allow only a portion of NetMeeting’s features,
such as the chat and whiteboard features. These properties are
configured via the Multimedia Application Defense that is associated
with a particular proxy rule. For information on configuring
Application Defenses for H.323/T.120, see “Configuring the IIOP
Connection tab” on page 6-35.
Configuring Proxies 8-25

Notes on selected proxy configurations
8-26 Configuring Proxies
To appropriately restrict access for the NetMeeting proxy rule, you
can also configure network objects or other rule elements. For
example, if you want to allow only administrators access to all
NetMeeting features, you could create and specify a network object
within rule that contains the IP addresses for all of your
Administrators. See “Rule elements” on page 4-6 and “Creating proxy
rules” on page 7-4 for more details.
Generic TCP proxy considerations
The following sections provide information on configuring the keep
alive option for a generic TCP proxy, and restricting the outgoing port
for a user-defined generic TCP proxy.
Configuring the keep alive option for a generic TCP proxy
The "keep alive" option allows you to configure the Sidewinder G2 to
actively ensure that a generic TCP proxy session is still active. When
the keep alive option is turned on for a particular TCP proxy the
Sidewinder G2 will, at a determined time (the default is two hours),
verify that the TCP session is still active. If the session is inactive, the
Sidewinder G2 will make a total of eight successive attempts to check
for activity. If the session is still inactive, the Sidewinder G2 will
immediately terminate that session.
To configure a generic TCP proxy to use the keep alive option, follow
the steps below.
1. Using a text editor, open the appropriate TCP proxy configuration file
(/etc/sidewinder/proxy/proxyname.conf ).
2. In the keep_alive field, toggle the value to [on].
Note: Secure Computing strongly recommends setting the Idle Timeout value to
zero (0) for any TCP proxy with the keep-alive option enabled. (The Idle Timeout value
for a generic TCP proxy is configured in the Standard Application Defense.)
3. Save the changes and exit the file.
Note: You will need to restart the proxy for the changes to take effect.

Notes on selected proxy configurations
4. [Optional] Set the keep _idle value using the sysctl command.
The "keep idle" value allows you to specify the amount of time that will
pass before a session’s periodic "keep alive" exchange will begin when
no data is being exchanged. The default value is 7200. The following
example will set the value to 300.
sysctl -w net.inet.tcp.keepidle=300
Important: You must also add this line to /etc/rc.local or it will be overwritten
upon reboot.
Notes on using the DNS proxy
If you have many hosts on a trusted network that point to an external
DNS server, and you want these hosts to use the unbound DNS server
on the Sidewinder G2 instead, you have two options:
You can modify each of the individual hosts to point to the
unbound DNS server.
You can configure a DNS proxy rule on the Sidewinder G2 that
redirects the DNS traffic from the trusted burb in which the hosts
reside to the unbound DNS server. This may be the preferred
option if you have hundreds or thousands of local hosts, because
you can make one change on the Sidewinder G2 rather the
hundreds or thousands of individual changes.
When defining the DNS proxy rule, be sure to set the following
information on the Source/Dest tab in the Proxy Rule window:
— Set the Redirect Host field to 127.0.0.1
— Set the NAT Address field to Localhost. The DNS proxy will not
allow redirection to any other loopback addresses (127.2.0.1).
Important: If your Sidewinder G2 uses split DNS mode, do not create this type of proxy
rule on the Internet burb, because traffic will bypass the Internet DNS name server.
Configuring Proxies 8-27

Configuring proxies
Configuring
proxies
Figure 8-6. Proxies
window
8-28 Configuring Proxies
The pre-configured Sidewinder G2 proxies consist of standard settings
and require very little modification. For most proxies the only
configuration decision to be made is whether to enable or disable
each individual proxy. However, the Admin Console also provides the
capability to modify and delete existing proxies, or to create entirely
new proxies.
Tip: You can configure advanced properties for most proxies on a per rule basis using
Application Defenses. For information on configuring Application Defenses, see Chapter .
For an overview of Application Defenses, see “Application Defenses” on page 4-14.
Configuring proxy properties
To configure properties for a proxy, start the Admin Console and
select Services Configuration -> Proxies. A table appears in the upper
portion of the window, listing the available proxies. (Use the scroll
bar to browse the entire list of proxies.)
About the Proxies window The main proxy window consists of a proxy table that lists all of the
proxies that are currently available by row. Each row displays a
summary of the current configuration for that proxy, as follows:
Tip: You can configure advanced properties for most proxies on a per rule basis using
Application Defenses. For information on configuring Application Defenses, see Chapter .
For an overview of Application Defenses, see “Application Defenses” on page 4-14.
Note: To enable or disable the Web proxy server, refer to “Configuring the Web proxy
server” on page 12-12.

Proxy Name—Displays the name of the proxy.
Configuring proxies
Attributes—Displays icons indicating the type of Application
Defense associated with a proxy, as well as which protocol this
proxy uses. (A “T” icon with a solid line beneath it appears for
TCP proxies, and a “U” icon with a dashed line appears for UDP
proxies. If a proxy uses both protocols, both icons will appear.)
Enabled in Burbs—Displays the burb(s) for which this proxy is
currently enabled.
Port Definitions—Displays the port(s) that this proxy currently uses.
To create a new proxy, click New beneath the proxy table. See
“Setting up a new proxy” on page 8-31 for details on creating a new
proxy.
To delete a proxy, highlight the proxy you want to delete, and click
Delete in the lower left portion of the window. (You cannot delete
proxies that are pre-configured on the Sidewinder G2.)
Note: You cannot delete a proxy that is specified as a service in a proxy rule.
When you select a proxy in the proxy table, the configuration
information for that proxy appears in the Proxy Properties tab in the
lower portion of the window. This tab allows you to modify the proxy
information. To configure or modify the properties for a proxy, select
the proxy in the table, and follow the steps below.
Note: The fields that appear will vary depending on which proxy you select.
Note: You cannot modify a proxy’s name or protocol once it has been created. To change
the name or protocol for a proxy, you must delete the proxy and then create a new proxy
with the new name and/or protocol.
1. In the Enabled In Burbs field, select the burb(s) for which this proxy is
enabled. A check mark indicates that a burb is enabled for that proxy.
Important: Be sure to deselect any burbs for which you do not want this proxy
enabled. (If a burb is disabled, a check mark will NOT appear next to it.)
2. In the Port Definitions field, specify the port(s) or range(s) of ports that
the proxy will use. TCP proxies can have multiple, non-contiguous ports
configured. Non-TCP proxies may only be allowed to have a single port,
or a single port range configured.
Configuring Proxies 8-29

Configuring proxies
8-30 Configuring Proxies
To add a new port or range of ports, click New. To modify an existing
port or range of ports, highlight the entry and click Modify. The Port(s)
Configuration window appears. For information on configuring the Port
Configuration window, see “Configuring connection ports” on page 8-
33.
Important: Do not specify a port number or range that is currently being used for
a server or another proxy running on the Sidewinder G2.
3. (http, https, sql, and generic TCP proxies only) To specify the total
number of connections expected for a proxy, select one of the
following options from the Expected Connections drop-down list:
Caution: Do not change the value for this field unless you have experienced
performance problems for one of the proxies listed. Opening multiple instances of a
single proxy can create performance problems if you enable them unnecessarily. For
specific information on when to enable multiple proxy instances, see “Configuring
multiple instances of certain proxies” on page 8-5.
1000—Select this value to open a single instance for a proxy.
2000—Select this value to open a single instance for a proxy.
4000—Select this value to open two identical proxies.
8000—Select this value to open four identical proxies.
16000—Select this value to open eight identical proxies.
4. Click the Save icon to save your changes, or click Cancel to revert to the
previously saved data.
Note: You can configure advanced proxy parameters (such as Fast Path Sessions) and
assign them on a per rule basis using Application Defenses. See Chapter 6 for details.
Note: The ICA and ping proxies contain an additional Advanced tab that you can
configure. For information on configuring the ICA proxy Advanced tab, see “Configuring
the ICA proxy Advanced tab” on page 8-30. For information on configuring the ping proxy
Advanced tab, see “Configuring the ping proxy Advanced tab” on page 8-31.
Configuring the ICA proxy Advanced tab
To configure the Advanced tab for the ICA proxy, in the Admin
Console, select Services Configuration -> Proxies. The Proxies window
appears. Select the ica proxy from the proxy table and select the
Advanced tab. The following tab appears in the lower portion of the
window.

Figure 8-7. ica proxy
Advanced tab
About the ICA proxy
Advanced tab
Setting up a new
proxy
Setting up a new proxy
The ICA Advanced tab allows you to configure which burbs you want
to enable for the master browser. Follow the steps below.
Note: Refer to your Citrix documentation for information about the master browser.
1. In the Browser field, select the burb(s) for which you want to enable the
master browser.
2. Click the Save icon in the toolbar to save your changes.
Configuring the ping proxy Advanced tab
Ping timeout properties cannot be configured on a per rule basis.
Therefore, advanced ping properties cannot be configured via
Application Defenses. To configure the timeout value for the ping
proxy, do the following:
1. In the Admin Console, select Services Configuration -> Proxies.
2. Select the ping proxy, and then select the Advanced tab.
3. In the Timeout field, specify the length of time, in seconds, that the
proxy should attempt to connect to the server before the proxy stops
trying.
4. Click the Save icon to save your changes.
As described earlier in this chapter, the Sidewinder G2 is set up to run
a variety of standard proxies. You can set up additional proxies if
needed. To set up a new proxy, you will need to know the name of
the service and the port number on which it runs. In the Admin
Console and select Services Configuration -> Proxies. The Proxies
window appears.
Configuring Proxies 8-31

Setting up a new proxy
Figure 8-8. New Proxy
window
Entering new proxy
information
8-32 Configuring Proxies
This window allows you to define a new proxy. Follow the steps
below.
1. In the New Proxy Name field, type a descriptive name for the new proxy.
Note: You cannot modify the proxy name once it has been saved.
2. In the Protocol drop-down list, select the appropriate protocol for this
proxy, as follows:
TCP—Select this option to create a TCP proxy.
UDP—Select this option to create a UDP proxy.
Other—Select this option to create a new instance of an
application-aware proxy. If you select this option, a drop-down list
appears. Select the appropriate service from the list.
3. In the Port Range field, click New to specify the port range that the
proxy will use. See “Configuring connection ports” on page 8-33 for
more information on configuring ports.
Important: Do not specify a port number or range that is currently being used for
a server running on the Sidewinder G2.
4. Click Add to add the new proxy to the proxy table. Once you have
added the proxy to the table, you may select the proxy and configure
additional information such as the burbs for which it will be enabled.
For information on configuring the proxy, see “Configuring proxy
properties” on page 8-28.
Important: After configuring a new proxy, you should configure access restrictions
to the proxy by following the procedure described in “Creating proxy rules” on page
7-4.

Configuring connection ports
Setting up a new proxy
The Edit a Port window allows you to configure a single port or a port
range, or you can select from pre-defined ports for specific proxies by
selecting one of the following radio buttons:
Specify a Port—Select this option to specify a single port. In the Port
field, type a port number or use the up and down arrows to
display the desired port.
Specify a Port Range—Select this option to specify a port range. In
the Begin Port and End Port fields, specify the range of ports that
this proxy can use (you can either type the port numbers in the
appropriate fields or use the up and down arrows to display the
desired ports).
TCP maximum segment size
The TCP layer uses a maximum segment size (MSS) parameter to
determine how much data can fit in a single data segment. At
connection time, systems negotiate how big this value can be.
If you choose an MSS that is too small, all systems passing a given
piece of data through a network must process more IP and physical
network frames. This can drastically slow down an entire network. On
the other hand, an MSS value that is too large forces the IP layer to
fragment and reassemble the data, overburdening the receiving
system.
Almost all systems on the Internet accept a TCP MSS of 536 data bytes.
Most newer TCP/IP systems can effectively use a TCP MSS of 1460
bytes, improving the traffic load on the entire network. The
Sidewinder G2 uses this as the default MSS value. With systems that
cannot accept segments of 1460 bytes, the Sidewinder G2 negotiates
down to the MSS that can be effectively used.
In a few cases, the default 1460 byte MSS size could cause a problem.
Some older TCP/IP implementations do not negotiate the TCP MSS
value. These older implementations also cannot perform IP
reassembly. The most likely symptom will be that these systems will
no longer be able to communicate through the Sidewinder G2.
Configuring Proxies 8-33

Setting up a new proxy
8-34 Configuring Proxies
The TCP MSS can be set to different values using the sysctl
command. For example, the following command sets the TCP MSS to
536:
sysctl -w net.inet.tcp.mssdflt=536
Important: You must also add this line to /etc/rc.local or it will be overwritten
upon reboot.

C HAPTER 9
Setting Up Authentication
About this chapter This chapter describes the methods that are available to authenticate
Sidewinder G2 users and administrators. This chapter includes
information on how to set up the Sidewinder G2 to authenticate login,
Telnet, FTP, Web, SOCKS5, secure shell (SSH), and VPN sessions. This
chapter also provides information on configuring single sign-on
(SSO). The following topics are covered:
Authentication
overview
“Authentication overview” on page 9-1
“Supported authentication methods” on page 9-5
“Authentication process overview” on page 9-9
“Users, groups, and authentication” on page 9-11
“Configuring authentication services” on page 9-11
“Configuring SSO” on page 9-27
“Setting up authentication for services” on page 9-30
“Setting up authentication for Web sessions” on page 9-32
“Setting up authentication for administrators” on page 9-33
“Allowing users to change their passwords” on page 9-34
“How users can change their own password” on page 9-36
In general, authentication refers to a process that validates a person’s
identity before he or she is allowed to log in to a network server.
Depending on the authentication method used, a person must provide
a user name and valid password and/or a special passcode or
personal identification number (PIN) before being logged on to a
server. If a user enters an invalid password, passcode, or PIN the log
in request is denied.
There are two basic Sidewinder G2 authentication scenarios: proxy
authentication and Sidewinder G2 administrator authentication. The
following sections describe each scenario.
9
Setting Up Authentication 9-1

9
Authentication overview
9-2 Setting Up Authentication
Proxy authentication
You can configure the Sidewinder G2 to authenticate network users
trying to connect from one side of the Sidewinder G2 to another via a
Web, SOCKS5, Telnet, or FTP proxy. You can authenticate proxy use
for internal-to-external, external-to-internal, and internal-to-internal
connections.
Internal-to-external authentication
You can authenticate internal users whenever they try to access a
SOCKS5, Telnet, FTP server, or Web access through the Sidewinder
G2. While internal users are generally thought to be trusted,
authenticating internal-to-external proxy connections provides an
extra level of security and allows you to closely track who is using
each Internet service and how long they are using it. (See Chapter
17 for information on Sidewinder G2 reporting.) For example, you
might use this information for internal accounting. Note that if you
do not authenticate internal-to-external proxies, you can still track
Internet usage, but the tracking is done for each machine address
only (not for individual users).
External-to-internal authentication
You can authenticate SOCKS5, Telnet, FTP, or Web access from the
Internet to hosts on an internal network. For example, an internal
network may have Telnet, FTP, or Web servers that users at
another location need to access via the Internet. In most, if not all
cases, your Sidewinder G2 should be configured to authenticate all
external-to-internal proxy connections.
Internal-to-internal authentication
When your Sidewinder G2 is configured with two Ethernet cards
for two internal networks, you can authenticate SOCKS5, Telnet,
FTP, and Web access from one internal network to a second internal
network.

Administrator authentication
Authentication overview
When you log in to the Sidewinder G2, you are authenticated using
either standard UNIX password authentication or a stronger form of
authentication, such as SafeWord PremierAccess. If standard UNIX
password authentication is used, the password you provide is
maintained in the user database, and the Sidewinder G2 checks the
database to validate your password. Dynamic passwords, called
passcodes, or challenge/response information generated for stronger
authentication methods are not stored on the Sidewinder G2. Instead,
they are located on the associated authentication server. (Strong
authentication is described in the next section.) The default
administrator authentication method is configured in the Firewall
Accounts window. For information on configuring the default
administrator authentication method, see “Setting up and maintaining
administrator accounts” on page 3-5.
Administrators use Telnet or SSH to access a Sidewinder G2 from an
Admin Console. By default, standard UNIX password authentication is
used to validate this type of remote log in attempt.
Note: Secure Computing recommends using a strong authentication method for logon
attempts from a remote UNIX server.
Weak versus strong authentication
Secure Computing uses the terms “weak” and “strong” when referring
to the level of security provided by an authentication method. The
differences are discussed in the following section.
Weak authentication
A weak authentication method merely requires a user to enter the
same password each time he or she logs on. The “standard” UNIX
password process is considered to be a weak authentication method.
If someone “sniffs” the password off the phone line or network as it is
transmitted, they can conceivably use that password to break into the
system. Because your internal network is thought to be “trusted,” this
type of authentication is generally used for authenticating internal-toexternal
proxy connections.
Setting Up Authentication 9-3

Authentication overview
9-4 Setting Up Authentication
Strong authentication
A basic premise of security is to positively identify who is accessing
your networks. Strong user authentication performs this function and
is generally desired for external-to-internal proxy connections. An
authentication server, such as Secure Computing’s SafeWord
PremierAccess, typically resides an internal network burb. When a
user attempts to log in, the authentication server displays a passcode
prompt for the user.
A passcode is a unique, one-time response that is generated for the
user via a hardware or software authenticator known as a token.
Because the token generates a unique passcode for each log in
attempt, they are immune to password sniffing or theft. Because the
passcodes are generated by a cryptographic algorithm, they are
essentially impossible to guess.
When tokens are PIN-protected, this strong authentication method is
known as two-factor authentication. That is, authentication is based
on something the user knows (a PIN that allows access to the token)
and something the user has (a token that generates unique
passwords).
The Sidewinder G2 coordinates the passcode prompt and response
process between the authentication server and the user. The
authentication server maintains detailed information about user
accounts and connection times.
Hardware authenticators A hardware authenticator is a small, hand-held device that looks
similar to an ordinary calculator. The hardware authenticator displays
the proper log in response on a digital display. A hardware
authenticator is platform-independent and can be used from any PC
or workstation equipped for network communications.
Software authenticators In contrast, a software authenticator is installed directly on the user’s
PC or workstation. It automates the response process, requiring the
user only to enter a personal identification number (PIN). A valid PIN
unlocks the software authenticator, which then calculates and returns
the proper log in response. An example of a supported software
authenticator is the SafeWord PremierAccess SofToken-II.

Supported
authentication
methods
Supported authentication methods
Sidewinder G2 supports standard UNIX password authentication,
Windows Domain authentication, and the following stronger
authentication methods: SafeWord PremierAccess and SafeWord
RemoteAccess (from Secure Computing Corporation), SecureNet
Key (SNK) from Symantec Corporation, and SecurID from RSA
Security, Inc. Sidewinder G2 also supports the widely-used RADIUS
authentication protocol and the Lightweight Directory Access Protocol
(LDAP). All of these can be used to authenticate SOCKS5, Telnet, FTP,
and Web connections through the Sidewinder G2 and administrator
log in connections to the Sidewinder G2.
Note: Single Sign-On (SSO) can be used in conjunction with the authentication methods
listed below to cache a user’s initial authentication, thereby allowing access to multiple
services with a single authentication to the Sidewinder G2. For information on configuring
SSO, see “Configuring SSO” on page 9-27.
Table 9-1. Authentication methods available for the Sidewinder G2
Authenticatio
n Method
Standard
Password
SafeWord
(PremierAccess
and
RemoteAccess)
Security
Level
Recommended
Usage
Weak Internal-to-external login, FTP,
Telnet, Web, SOCKS5, or SSH
sessions
Strong External-to-internal login, FTP,
Telnet, Web, SOCKS5, or SSH
sessions
LDAP Weak Internal-to-external login, FTP,
Telnet, Web, SOCKS5, or SSH
sessions
Windows
Domain
SecureNet Key
(SNK)
Weak Internal-to-external login, FTP,
Telnet, Web, SOCKS5, or SSH
sessions
Strong External-to-internal login, FTP,
Telnet, or SSH sessions
SecurID Strong External-to-internal login, FTP,
Telnet, Web, SOCKS5, or SSH
sessions
RADIUS Strong External-to-internal login, FTP,
Telnet, Web, or SSH sessions
Server
Type
Authenticator
Type
Not applicable Not applicable
SafeWord Authentication
Server, external to the
Sidewinder G2
X.500 directory server,
external to the
Sidewinder G2
Windows primary
domain controller (PDC)
or backup domain
controller (BDC)
Defender Security Server
(DSS), external to the
Sidewinder G2
ACE/Server, external to
the Sidewinder G2
RADIUS server, external to
the Sidewinder G2
Software (SoftToken
II) and hardware token
(Silver 2000, Gold 3000,
Platinum)
Not applicable
Not applicable
SecureNet Key (SNK) or
Symantec Corporation
hardware
authenticator
SecurID hardware
authenticator
Any
Setting Up Authentication 9-5

Supported authentication methods
9-6 Setting Up Authentication
Below is a brief summary of the authentication methods supported by
the Sidewinder G2.
Standard password authentication
Standard password authentication requires a user to enter the same
password each time he or she logs on. This method typically is used
for authenticating a user’s internal-to-external SOCKS5, Telnet, FTP,
and Web connections, and local Sidewinder G2 administrator log ins.
Since the internal users are generally thought to be trusted, a weak
authentication method is probably all that is required. You may want
to authenticate internal-to-external connections not so much for
security reasons but to track usage of the system.
SafeWord authentication
The SafeWord family of authentication servers that interoperate with
the Sidewinder G2 includes SafeWord RemoteAccess and SafeWord
PremierAccess. The following table is provided as a reference to
better understand the authentication capabilities each server, and the
Sidewinder G2 authentication methods that are supported.
Table 9-2. Authentication capabilities of SafeWord servers
Feature/Capability
Sidewinder G2 authentication
methods supported
SafeWord
RemoteAccess
SafeWord
PremierAccess
RADIUS only SafeWord & RADIUS
Fixed passwords No Yes
Dynamic passcodes w/o
challenge
Dynamic passcodes with
challenge
Hardware tokens only Hardware and
software tokens
No Yes
Location of user database Active Directory SafeWord
Connectivity w/ the
Sidewinder G2
RADIUS ports only RADIUS ports or port
5030 (default)

Supported authentication methods
When connected to the Sidewinder G2 using standard RADIUS ports,
the authentication method is appropriately called RADIUS. This
method is available with both SafeWord RemoteAccess and SafeWord
PremierAccess. (For additional information on RADIUS, see “RADIUS
authentication” on page 9-8.)
SafeWord PremierAccess provides the ability to use fixed passwords
or passcode authentication for Telnet and FTP sessions through the
Sidewinder G2, and can be used to authenticate logins and SSH logins
to the Sidewinder G2. Web sessions can also be authenticated, but are
limited to using either fixed passwords or passcodes without the
challenge/response option. (Not all tokens support this option.)
The biggest advantages of using a tightly coupled configuration such
as SafeWord PremierAccess authentication, are the following:
An improvement in performance over RADIUS
The ability for PremierAccess to forward role information for a
user from the PremierAccess database to the Sidewinder G2.
(While SafeWord PremierAccess can be connected to Sidewinder
G2 via standard RADIUS ports, configurations the user’s role
cannot be made available to the Sidewinder G2.)
Note: SafeWord RemoteAccess is always connected to the Sidewinder G2 via standard
RADIUS ports and therefore cannot be assigned the SafeWord authentication method.
Aside from the ability to return a user’s role, SafeWord RemoteAccess provides equally
strong user authentication via the RADIUS interface.
LDAP/Active Directory
LDAP (Lightweight Directory Access Protocol)/Active Directory is a
protocol that you can use to provide fixed password authentication
for SOCKS5, Telnet, FTP, and Web sessions through the Sidewinder
G2. It can also be used to authenticate logins and SSH logins to the
Sidewinder G2. You can set up an LDAP directory server containing
users and passwords. Use any valid combination of LDAP attributes
and values as an optional filter string to distinguish authorized
Sidewinder G2 users.
Setting Up Authentication 9-7

Supported authentication methods
9-8 Setting Up Authentication
Windows Domain
If your organization operates a Windows primary domain controller
(PDC) or backup domain controller (BDC), you can use it to provide
weak authentication for login, SOCKS5, Telnet, FTP, Web, and SSH
sessions to the Sidewinder G2. The PDC or BDC can be used to
provide password authentication. Be sure the domain controller does
not allow blank or default logins that can be easily guessed by
outsiders.
SNK (SecureNet Key)/Symantec Defender authentication
If your organization operates a Defender Security Server (DSS) (made
by Symantec Corporation) you can use it to provide fixed password,
challenge/response, or password + challenge/response authentication
for SOCKS5, Telnet, and FTP sessions through the Sidewinder G2. It
can also be used to authenticate logins and SSH logins to the
Sidewinder G2. Web sessions can also be authenticated but are limited
to using the password authentication method.
SecurID authentication
If your organization operates an ACE/Server (made by RSA Security,
Inc.) you can use it to provide fixed or one-time password
authentication for login, SOCKS5, Telnet, FTP, Web, and SSH sessions
to the Sidewinder G2. For this authentication method, users enter a
PIN and a passcode that is displayed on the user’s SecurID
authenticator.
RADIUS authentication
If your organization operates a RADIUS server, you can use it to
provide strong authentication for SOCKS5, Telnet, FTP, and Web
sessions through the Sidewinder G2. It can also be used to
authenticate logins and SSH logins to the Sidewinder G2.

Authentication
process overview
Authentication process overview
SafeWord RemoteAccess and SafeWord PremierAccess are RADIUS
servers that have been certified for full interoperability with the
Sidewinder G2. As shown in Table 9-2, each method provides strong
authentication using passcodes for SOCKS5, Telnet, and FTP sessions
through the Sidewinder G2, and for authenticating logins and SSH
logins to the Sidewinder G2. Web sessions can also be authenticated,
but are limited to using fixed passwords or passcodes without a
challenge/response option.
For all authentication methods, a warder in the Sidewinder G2
communicates with an authentication server to validate users. A
warder provides an interface between the proxy software and the
various authentication services. As shown in Figure 9-1, there is a
separate warder for each authentication method.
Setting Up Authentication 9-9

Authentication process overview
Figure 9-1.
Authentication servers
supported by the
Sidewinder G2
9-10 Setting Up Authentication
3
Sidewinder G2
proxy
active rules
Windows Domain
warder
LDAP warder
RADIUS warder
SNK warder
SecurID warder
SafeWord
warder
password warder
user database
2 5
4
6
The numbers in Figure 9-1 represent the sequence of events that
occur when a remote user requests a network connection through the
Sidewinder G2. These events are described below. In this scenario,
the user is authenticated using SafeWord PremierAccess, which
implements a challenge-response authentication process. (Note that
the process is different for other authentication methods.)
1
client PC
or workstation
NT PDC OR BDC
LDAP SERVER
RADIUS SERVER
DEFENDER SEC.
SERVER (DSS)
ACE SERVER
SAFEWORD
SERVER
database
database
database
database
database
database
Note: The numbers in this
figure correspond to the
process overview steps listed
on the next page.

Users, groups, and
authentication
Configuring
authentication
services
Users, groups, and authentication
1. A user tries to make a network connection via Telnet or FTP.
2. The Sidewinder G2 checks the active rules to determine whether the
connection between the source and destination addresses is allowed
and to determine which warder to use.
3. If the connection is allowed, the proxy contacts the appropriate warder
in the Sidewinder G2.
4. The warder passes the log in request to the appropriate authentication
server. The server checks the data base to verify the user’s log in name is
registered and then generates a log in prompt.
5. The log in challenge is sent to the user. Using client software or a
hardware authenticator, the user types in the proper response to the
prompt.
6. The Sidewinder G2 sends the response to the authentication server. The
authentication server checks the response and informs the Sidewinder
G2 to either accept or reject the log in request.
As a Sidewinder G2 administrator, you are responsible for configuring
the Sidewinder G2 to work with the desired authentication server. The
first step is identifying the users that will need authentication services
on the Sidewinder G2. You can set up authentication on a user-byuser
basis or create user groups. A user group is a mechanism that
allows you to identify multiple users by a single name, making it
easier to configure authentication requirements for your network.
Note: The procedures to add users to the user database and set up user groups are
described in Chapter 5.
After defining and creating the appropriate user groups for your site,
you need to configure the authentication method(s) that your site will
use. The following section describes what needs to be done to
configure the Sidewinder G2 for authenticating users or
administrators.
To configure authentication services for the Sidewinder G2, start the
Admin Console and select Services Configuration -> Authentication. The
Authentication Configuration window appears.
Note: You must configure an authentication method before it can be enabled.
Setting Up Authentication 9-11

Configuring authentication services
Figure 9-2.
Authentication
Configuration window
About the Authentication
Configuration window
9-12 Setting Up Authentication
This window allows you to configure authentication services on the
Sidewinder G2. You can also manage locked out administrators and
SSO-authenticated users. You can perform the following actions in
this window:
Configure an authentication method—To configure an authentication
method, click the appropriate Configure button. (If you attempt to
enable an authentication method that has not yet been configured,
you will be prompted to configure the method first.) The following
authentication methods can be configured:
— LDAP/Active Directory—To configure LDAP/Active Directory
authentication, see “Setting up LDAP authentication” on page
9-16.
— Password—To configure password authentication, see “Setting
up password authentication” on page 9-18.
— RADIUS—To configure RADIUS authentication, see “Setting up
RADIUS authentication” on page 9-19.
— SafeWord—To configure SafeWord PremierAccess
authentication in a tightly coupled configuration, see “Setting
up SafeWord authentication” on page 9-21. (SafeWord
PremierAccess and SafeWord RemoteAccess can also be
configured using the RADIUS interface.)
— SecurID—To configure SecurID authentication, see “Setting up
SecurID authentication” on page 9-22.

Configuring authentication services
— SNK/Symantec Defender—To configure SecureNet (SNK)/
Symantec Defender authentication, see “Setting up SecureNet
Key (SNK) authentication” on page 9-24.
— Windows Domain—To configure Windows Domain
authentication, see “Setting up Windows Domain
authentication” on page 9-26.
Enable/disable an authentication method—A check mark appears in
front of authentication methods that are currently enabled. To
enable an authentication method, select the appropriate check box
under the Enable Warders area. To disable an authentication
method, deselect the appropriate check box in the Enable Warders
area.
Note: If you attempt to enable an authentication method that has not yet been
configured, you will be prompted to configure the method first.
Manage locked out users—To configure the Sidewinder G2 to
lockout a user if the number of failed authentication attempts
reaches the specified lockout threshold, or to manage users who
are currently locked out, click Authentication Failure Locked Out Users
and see “Configuring and managing the locked out users” on page
9-14 for details.
View SSO Authenticated Users—To view users currently in the SSO
authenticated cache, click Current SSO Authenticated Users, and see
“Viewing currently authenticated SSO users” on page 9-15.
Configure external authorization roles—The External Authorization Roles
list displays the roles defined by an external authentication
program (for example, SafeWord PremierAccess or LDAP/Active
Directory) that can be used within a the Sidewinder G2 proxy rule.
Use the New, Modify, and Delete buttons to manage this list. If you
click New or Modify under the External Authorization Roles field,
the New (or Modify) External Authorization Roles window
appears.
Note: See “Creating proxy rules” on page 7-4 for information on how these roles are
used in a proxy rule. (You may need to consult the administrator of your particular
authentication program for the names of the roles to add to this list.)
Setting Up Authentication 9-13

Configuring authentication services
9-14 Setting Up Authentication
About the New (or Modify) External Authorization Roles window
The New (or Modify) External Authorization Roles window contains a
single External Role field in which you specify a name for the external
role. Currently, the only external authorization servers that support
roles within a proxy rule are SafeWord PremierAccess and LDAP/
Active Directory. The name of the external role must match the name
of a group within the server (SafeWord PremierAccess or LDAP) to
which the user belongs.
Click Add to add the entry to the External Authorization Roles list, to
add the entry and close the window.
Configuring and managing the locked out users
This window allows you to configure the authentication failure
lockout feature on your Sidewinder G2. The authentication failure
lockout feature allows you to configure the Sidewinder G2 to block
access to a user if the number of consecutive failed authentication
attempts reaches a configured number. This protects unauthorized
users from multiple attempts at guessing an user’s password. Using
this window, you can perform the following actions:
Important: If all administrators become locked out of the Sidewinder G2, see “Manually
clearing an authentication failure lockout” on page A-21.
Enable or disable the lockout feature—When this feature is enabled,
any time a user account surpasses the specified authentication
attempt threshold without a successful authentication, that user
will be locked out until the lock is cleared by an administrator. The
locked can also be cleared if the locked out administrator logs in
at the Sidewinder G2 using the correct login information. To
enable this feature, select the Enable radio button. To disable this
feature, select the Disable radio button.
Note: When authentication failure lockout is enabled, the client-side cache is
emptied and authenticated allow rules will not be cached.
View locked out users—The Locked Out Users area lists any users who
are currently locked out of the Sidewinder G2 due to exceeded
authentication failures. It will also display the number of failed
login attempts for each user.

Figure 9-1. SSO Cached
Authentication Users
Configuring authentication services
Configure the lockout threshold—The Lockout Threshold field allows
you to specify the number of failed login attempts that can occur
for a single user account before that user is locked out of the
Sidewinder G2.
Note: When a user is locked out, their authentication method will become invalid.
They will NOT be notified that they are locked out.
Clear user locks—To clear the lock for a user select the user and
click Clear.
Viewing currently authenticated SSO users
This window allows you to view the current SSO-authenticated
(cached) users. In this window, you have the option to override the
authentication cache default values and immediately expire user SSO
authentication for one or more users.
The Authentication Cache table allows you to view all users who are
currently authenticated (cached) using SSO. The following fields are
displayed in the table:
Note: If you disable the SSO server, the authenticated user cache will be emptied. When
the SSO server is enabled again, all users will need to authenticate before being added
back into the cache.
Note: For information on configuring SSO, see “Configuring SSO” on page 9-27.
Name—This column displays the name(s) of all users who
currently have cached authentication.
External Group—This column displays the external group to which
a user belongs.
Setting Up Authentication 9-15

Configuring authentication services
9-16 Setting Up Authentication
Warder—This column displays the type of authentication utilized
by a user.
IP Address—This column displays the source IP Address from
which the authentication request originated.
Time of User Entering Cache—This column displays the time at which
a user was initially authenticated and added to the cache.
Time Cached Data Last Accessed—This column displays the time at
which a user last accessed service that required authentication.
To expire the SSO authentication cache for all users listed in the table,
click Expire All Entries. To expire the SSO authentication cache for a
single user or group of users, select the users you want to expire by
clicking on the appropriate table row(s). To select multiple users,
press and hold the Ctrl key as you select users. Then click Expire
Entry(s) to expire the selected users from the authentication cache.
When you expire the authentication cache for a user(s), those users
will be required to re-authenticate before they can again access any
authenticated services.
Note: Subsequent authentication requests by an expired user will be cached when they
re-authenticate, allowing them to again utilize SSO authentication.
Setting up LDAP authentication
To configure LDAP authentication on the Sidewinder G2, in the
Admin Console select Services Configuration -> Authentication, and click
Configure LDAP. The following window appears.

Figure 9-3. LDAP
configuration window
Entering information on the
LDAP Configuration
window
Configuring authentication services
This window is used to configure your Sidewinder G2 to work with
an LDAP server. The top portion of the window displays a list of any
current LDAP servers you have defined. To add a new server, click
New. To modify an existing server, highlight the server and click
Modify. See “About the LDAP Configuration: Domain Controller
Configuration window” on page 9-18 for instructions on adding or
modifying an LDAP server entry. To configure the general LDAP
properties for all of the defined LDAP servers, follow the steps below.
1. In the Maximum Retries field, specify the number of authentication
attempts that will be made before a failure is issued. The default is 3.
2. In the Timeout field, specify the number of seconds to wait for the
server to respond. The default is 60 seconds.
3. In the Login Prompt field, specify the prompt that you want to appear
for the user name portion of the login process. The default is Username.
4. In the Password Prompt field, specify the prompt that you want to
appear for the password portion of the login process. The default is
Password.
5. In the User Attribute field, specify the attribute that will be used to
define usernames in the LDAP server. The default is uid (used by
i-Planet).
Setting Up Authentication 9-17

Configuring authentication services
About the LDAP
Configuration: Domain
Controller Configuration
window
9-18 Setting Up Authentication
6. In the Member Attribute field, specify the attribute that will be used to
check for group membership. The default is uniquemember (used by
i-Planet).
7. In the Search Base field, specify the user directory sub-tree. For example,
i-Planet defaults to the People directory, as follows: ou=People.
8. [Optional] In the Filter field, you can specify a free-form LDAP search
filter that must match a user entry before that user can be
authenticated. The filter is not enabled by default. Only administrators
who are familiar with the free-form LDAP search capability should
configure a filter value.
9. [Optional] In the Domain field, specify the network domain that will be
used for LDAP. Only for Windows Active Directory.
10. Click OK to return to the Authentication window.
11. Click the Save icon to save your changes.
Note: If you want to use LDAP authentication after it is configured, you must also
enable it in the Authentication Configuration window.
The LDAP Configuration Domain Controller window allows you to
configure the IP address and port for an LDAP server. Follow the steps
below.
1. In the IP Address field, type the IP address for the LDAP server.
2. In the Port Number field, type the port that the LDAP server should use.
The default port is 389.
3. Click OK to add the LDAP server to the list of configured LDAP servers.
4. Click the Save icon in the toolbar to save your changes.
Setting up password authentication
To configure password authentication on the Sidewinder G2, in the
Admin Console select Services Configuration -> Authentication, and click
Configure Password. The following window appears.

Figure 9-4. Password
Configuration window
Entering information on the
Password Configuration
window
Configuring authentication services
This window is used to configure password authentication on the
Sidewinder G2. Follow the steps below.
1. In the Login Prompt field, type the prompt text that you want to appear
when the Telnet proxy service prompts a user for his or her user name.
Note: The prompt you configure in this field is only used for the Telnet proxy service,
and only appears after an authentication attempt of this type has failed.
2. In the Password Prompt field, type the prompt text that you want to
appear when the Sidewinder G2 prompts a user for his or her password.
3. In the Expiration Message field, type the message you want to appear
when a user’s password has expired.
4. In the Password Expiration Timespan field, type the number of days the
password will be valid.
5. Click OK to save your changes before returning to the Authentication
Configuration window.
Note: If you want to use password authentication after it is configured, you must
also enable it in the Authentication Configuration window.
Setting up RADIUS authentication
RADIUS is a standard protocol used to authenticate users before they
are allowed access to your system. To configure the Sidewinder G2 to
work with a RADIUS server, start the Admin Console and select
Services Configuration -> Authentication, and click Configure Radius. The
following window appears.
Setting Up Authentication 9-19

Configuring authentication services
Figure 9-5. RADIUS
configuration window
Entering information on the
RADIUS window
9-20 Setting Up Authentication
This window is used to configure RADIUS authentication on the
Sidewinder G2. Follow the steps below.
1. The Radius Servers table lists the RADIUS servers currently configured
for the Sidewinder G2. To configure the Radius Servers table, do one of
the following:
New—Click this button to create a new server entry. See “Adding
or modifying a RADIUS server entry” on page 9-21 for details.
Modify—Click this button to modify the selected server entry. See
“Adding or modifying a RADIUS server entry” on page 9-21 for
details.
Delete—Click this button to remove the selected server entry.
2. In the Login Prompt field, type the login prompt that you want to
appear when a user authenticates using RADIUS (the default is
Username:).
3. In the Password Prompt field, type the password prompt that you want
to appear when a user authenticates using RADIUS (the default is
Password:).
4. In the Failed Authentication Message field, type the message that you
want to display if the user incorrectly enters their authentication
information (the default is Login incorrect).
5. Click OK to save your changes before returning to the Authentication
Configuration window.
Note: If you want to use RADIUS authentication after it is configured, you must also
enable it in the Authentication Configuration window.

Adding or modifying a
RADIUS server entry
Figure 9-6. SafeWord
Configuration window
About the SafeWord
Configuration window
Configuring authentication services
The RADIUS Configuration: Domain Controller Configuration window
is used to create a new server entry or to modify an existing server
entry. Follow the steps below.
1. In the IP Address field, type the IP address used by the RADIUS server.
2. In the Port Number field, specify a port number used by the RADIUS
server. (The default port is 1812.)
3. In the Shared Secret field, type any text string or phrase. This must
match the Shared Secret defined on the RADIUS server.
4. Click Add to add the entry to the list of RADIUS servers, and then click
Close.
Setting up SafeWord authentication
This section describes how to configure your Sidewinder G2 to work
with a SafeWord PremierAccess authentication server for login,
SOCKS5, Telnet, FTP, Web, or SSH authentication.
To configure SafeWord PremierAccess authentication on the
Sidewinder G2, you must first install and configure the SafeWord
PremierAccess Authentication Server. (Refer to the appropriate
product documentation.)
In the Admin Console select Services Configuration -> Authentication,
and click Configure SafeWord. The following window appears.
This window allows you to view and modify your SafeWord
PremierAccess server entries. The SafeWord Configuration tab
contains a table with the following fields:
Setting Up Authentication 9-21

Configuring authentication services
Adding or modifying a
SafeWord server entry
9-22 Setting Up Authentication
Rank—This column indicates which server the Sidewinder G2 will
try first.
Host—This column indicates the host (IP address) for each server
entry.
Port Number—This column indicates the port number for each
server entry. The default port number for SafeWord PremierAccess
is 5030. (If you are configuring a server entry for SafeWord, you
will need to change the port to 7482.)
To delete an existing entry, highlight that entry and click Delete.
To create a new server entry, click New. To modify an existing server
entry, highlight the entry you want to modify, and click Modify. See
“Adding or modifying a SafeWord server entry” on page 9-22 for
details.
Note: If you want to use SafeWord PremierAccess authentication after it is configured,
you must also enable it in the Authentication Configuration window.
The SafeWord Server Configuration window is used to create a new
server entry or to modify an existing server entry. Follow the steps
below.
1. In the IP Address field, type the IP address used by the SafeWord
PremierAccess Authentication Server.
2. In the Port Number field, specify a port number used by the SafeWord
PremierAccess Authentication Server. (The default port for SafeWord
PremierAccess is 5030.)
3. Click Add to add the entry to the list of SafeWord servers, and then click
Close.
Setting up SecurID authentication
This section describes how to configure your the Sidewinder G2 to
work with an ACE Server for login, SOCKS5, Telnet, FTP, Web, or SSH
authentication. Follow the steps below.
1. Install and configure the ACE server software.
Note: Be sure to add the Sidewinder G2 as a client. Refer to your ACE server
documentation for details.
Note: If you need to reinstall Sidewinder G2 software you must disable the Send
Node Secret option in the Edit Client window on the ACE server. This will cause the
ACE server to resend the node secret to the Sidewinder G2.

Figure 9-7. SecurID
Configuration window
Entering information on the
SecurID Configuration
window
Configuring authentication services
2. Import the ACE Server configuration file (sdconf.rec) to a directory (for
example, the /tmp directory) on the Sidewinder G2 or directly to the
Admin Console system.
The ACE Server configuration file is created on the ACE Server. It must
be transferred to a temporary location on the Sidewinder G2 or Admin
Console via FTP or diskette.
3. Start the Admin Console and select Services Configuration ->
Authentication and click Configure SecurID. The following window
appears.
This window allows you to specify the installation configuration file
location. Follow the steps below.
1. In the Source field, specify whether the configuration file is stored on
the Admin Console (Local File) or on the Sidewinder G2 (Remote File).
2. In the Install Configuration File field, type the path name of the file in
which you stored the ACE Server configuration. This is the same file you
imported in step 2 of “Setting up SecurID authentication” on page 9-22.
To browse for the location of the configuration file rather than typing it
directly, click Browse.
3. Click OK to save your changes before returning to the Authentication
Configuration window. This assigns the sdconf.rec file the proper Type
Enforcement type and installs the file in the correct Sidewinder G2
directory.
Note: If you want to use SecureID authentication after it is configured, make sure
you enable it in the Authentication Configuration window.
Setting Up Authentication 9-23

Configuring authentication services
9-24 Setting Up Authentication
Setting up SecureNet Key (SNK) authentication
To configure your Sidewinder G2 to work with Symantec Defender
Security Server (DSS) for login, SOCKS5, Telnet, FTP, Web, and SSH
authentication, follow the steps below.
Note: Configuring SNK consists of performing some configuration tasks on the DSS and
some on the Sidewinder G2.
On the Defender Security System, do the following:
1. Install the Defender Security Server and Defender Management (DMS)
software. Refer to your Defender documentation for installation
information. If DSS is already installed in your network, you can skip this
step.
2. Register your Sidewinder G2 with the DMS software. Refer to your
Defender documentation for registration information.
Important: The Agent ID can consist of 1–16 ASCII characters. The Agent Key
must consist of exactly 16 hexadecimal digits. The values used in the DMS software
must also be entered on your Sidewinder G2 (in step 1 and step 2 on page -25.) If the
values are not identical, the Sidewinder G2 will not accept the login, SOCKS5, Telnet,
FTP, Web, or SSH proxy connections.
3. Use the DMS software to create accounts for users. Refer to the DMS
documentation you received from Symantec.
On the Sidewinder G2, do the following:
4. Start the Admin Console and select Services Configuration ->
Authentication and click Configure SNK. The following window appears.
Note: If you change the SNK configuration on the Sidewinder G2 while there are
active SNK-authenticated sessions, when the sessions are terminated Defender
Security Server (DSS) will not be notified. DSS will continue to report that those
sessions are active. To avoid this, make SNK changes only from the Administrative
kernel (which will guarantee that no SNK-authenticated sessions exist).

Figure 9-8. SNK
Configuration window
Entering information on the
SNK Configuration window
Configuring authentication services
This window is used to configure SecureNet Key (SNK) authentication
on the Sidewinder G2. Follow the steps below.
Note: You must configure a primary or backup defender server (or both) before you can
enable SNK authentication.
1. In the Sidewinder Agent ID field, type the ID you used when you
registered the Sidewinder G2 with the WinDMS software. The ID must
match the ID created in step 2 on page -24 exactly or the connection
will not be accepted.
2. In the Sidewinder Agent Key field, type the key you used when you
registered the Sidewinder G2 with the WinDMS software. The key must
match the key created in step 2 on page -24 exactly or the connection
will not be accepted.
3. In the Primary Defender Server area, configure a Primary Defender
Server, as follows:
a. In the IP Address field, type the IP address used by the DSS system.
b. In the Port Number field, type the port number used by the DSS
system. This number must be larger than 1024.
4. [Optional] In the Backup Defender Server area, do the following:
a. In the IP Address field, type the IP address for the backup DSS
system.
b. In the Port Number field, type the port number used by the backup
DSS system.
5. Click OK to save your changes and return to the Authentication window.
Note: If you want to use SNK authentication after it is configured, make sure you
enable it in the Authentication window.
Setting Up Authentication 9-25

Configuring authentication services
Figure 9-9. Windows
Domain configuration
window
Entering information on the
Windows Domain
Configuration window
9-26 Setting Up Authentication
Setting up Windows Domain authentication
To configure Windows Domain authentication on the Sidewinder G2,
in the Admin Console select Services Configuration -> Authentication and
click Configure Domain. The following window appears.
This window is used to configure your Sidewinder G2 to work with a
Windows primary domain controller (PDC) or backup domain
controller (BDC). Follow the steps below.
1. The Windows Domain Controllers table lists the Windows domain
controllers currently configured for the Sidewinder G2. To configure the
domain controllers, do one of the following:
New—Click this button to create a new domain controller entry.
See “Adding or modifying a Windows domain controller entry” on
page 9-27 for details.
Modify—Click this button to modify the selected entry. See
“Adding or modifying a Windows domain controller entry” on
page 9-27 for details.
Delete—Click this button to remove the selected entry.
2. In the Login Prompt field, specify the login prompt that you want to
display to users when they log in. The default is Username.
3. In the Password Prompt field, specify the password prompt that you
want to display to users when they log in. The default is Password.

Adding or modifying a
Windows domain controller
entry
Configuring SSO
4. In the Failed Authentication Message field, specify the message that you
want to display if a user’s authentication attempt fails. The default is
Login incorrect.
5. Click OK to save your changes before returning to the Authentication
Configuration window.
Note: If you want to use Windows Domain authentication after it is configured,
make sure you enable it in the Authentication Configuration window.
The Domain Controller Configuration window is used to add or
modify a domain controller entry. Follow the steps below.
1. In the IP Address field, type the IP address used by the Windows domain
controller.
The Port Number field displays the port used by the Windows domain
controller. The default value is 139. This field cannot be modified.
2. In the Windows Domain Controller Name field, type the name of this
Windows domain controller. Type only the host or computer name, not
the fully qualified name. You can determine the name by selecting My
Computer -> Control Panel -> Network on the Windows controller.
3. Click Add to add the entry to the list of Windows domain controllers.
Configuring SSO Single sign-on (SSO) works in conjunction with a specified
authentication method to cache a user’s initial authentication, thereby
allowing access to multiple services with a single successful
authentication to the Sidewinder G2.
This is done by storing the source IP address for a successful
authentication in a cache. All proxy rule services that require
authentication will check that cache for successful authentication. If
the source IP address exists in the cache, transparent authentication
based on the initial authentication takes place and the user is allowed
access without manually re-authenticating.
You can configure SSO to expire cached authentications after a
specified time period has passed (for example, you may choose to
require each user to re-authenticate every two hours). You also have
the option to require a user to re-authenticate after a specified period
of idle time (for example, a user must re-authenticate if the cached
authentication has not been accessed for one hour or more). You also
have the option to manually expire cached authentication for a
specific user(s) or for all users, at any time.
Setting Up Authentication 9-27

Configuring SSO
Figure 9-10. SSO
Configuration tab
Entering information on the
Single Sign On
Configuration window
9-28 Setting Up Authentication
To configure SSO, in the Admin Console select Services Configuration ->
Servers, and select the SSO server. To enable the SSO server, select the
check boxes for the appropriate burbs. To configure the SSO server,
select the Configuration tab. The following window appears.
This window allows you to configure Single Sign On authentication
on the Sidewinder G2. Follow the steps below.
1. In the Authentication Methods Used to Establish SSO Credentials, select
the authentication methods that will be allowed to store cached
authentication credentials using SSO.
Note: Only authentication methods that have been configured and enabled will be
available to select in this window. For information on the available types of
authentication, see “Supported authentication methods” on page 9-5.
2. In the Default Method drop-down list, select the authentication method
that will be used if multiple methods are available and the user does not
specify a method to use during login.
3. If you want to require that a user log in via the SSO Web interface, select
the Require Web Login check box.
4. In the Web Login area, do the following:
a. In the Port field, type the port that will be used to log in on the Web.
(The default port is 8111.)

Configuring SSO
b. In the Edit Login Page Banner field, you can configure the Web page
banner that appears when a user successfully logs in. To view the
existing banner, click the corresponding View button. To modify the
login page banner, click the corresponding Edit HTML button. For
information on using the File Editor to configure the banner page,
see “Using the Admin Console File Editor” on page 2-12.
c. In the Edit Logout Page Banner field, you can configure the Web
page banner that appears when a user successfully logs out. To view
the existing banner, click the corresponding View button. To modify
the logout page banner, click the corresponding Edit HTML button.
For information on using the File Editor to configure the banner
page, see “Using the Admin Console File Editor” on page 2-12.
5. In the Authenticate Inactive Users Every field, specify how often a user’s
account must remain inactive before they must re-authenticate, as
follows:
a. In the corresponding drop-down list, select the time increment you
want to use. Valid options are Seconds, Minutes, Hours, Days, Weeks,
Months, and Years.
b. In the text box, specify the number of seconds, minutes, hours
before a user will be required to re-authenticate.
6. In the Force Authentication Every fields, specify a time period in which a
user must re-authenticate regardless of whether the account is inactive
or being used, as follows:
a. In the corresponding drop-down list, select the time increment you
want to use. Valid options are Seconds, Minutes, Hours, Days, Weeks,
Months, and Years.
b. In the corresponding text box, specify the number of seconds,
minutes, hours before a user will be required to re-authenticate.
7. Click the Save icon in the toolbar to save your changes and return to the
Authentication Configuration window.
8. Ensure that the pre-configured Single Sign-On proxy rule has been
included in your active rule group. The Single Sign-On proxy rule is
configured to use a pre-configured Secure Web Application Defense
called Single Sign-on, a Secure Web defense that uses SSL decryption to
increase the security of data transactions.
Important: You must also ensure that SSO authentication is configured for each
rule for which you want to use SSO. See “Creating proxy rules” on page 7-4.
Setting Up Authentication 9-29

Setting up authentication for services
Setting up
authentication for
services
9-30 Setting Up Authentication
Accessing the Web login and logout pages
When Web Login is configured for SSO, any time a user attempts to
access the Web the login window will appear prompting them to
authenticate. A user can also access the authentication login page by
directing their browser to:
https://SidewinderG2_address.com:8111/sidewinder/login.html
If a user wants to log out of the SSO cache manually (before their SSO
authentication cache expires), they can point their browser to:
https://SidewinderG2_address.com:8111/sidewinder/logout.html
If a browser is configured for the proxy, you will need to configure
that browser to NOT proxy requests going to the Sidewinder G2 on
port 8111. The following steps provide an example of configuring an
exception using Netscape.
1. Open Netscape and select Edit -> Preferences -> Advanced -> Proxies.
2. Select Manual Proxy Configuration.
3. In the No Proxy For field, type the URL for the Sidewinder G2 (for
example, G2name.xyz.com.
4. Click OK to save the information and exit.
To require authentication for users who require any services that use
authentication (for example, HTTP, Web, SOCKS5, sshd, VPN, Telnet,
FTP, and the Admin Console), you will need to configure the
appropriate proxy rule(s) for each service, and ensure that they are
included in the active proxy rule group.
You can configure a proxy rule to support multiple authentication
methods if multiple methods have been configured on the Sidewinder
G2. In this scenario, a user can specify the authentication method that
they want the Sidewinder G2 to use when they reply to a login
prompt. For example, the following shows how a user can specify
each authentication method from the login prompt:

Setting up authentication for services
>: login_name:password
>: login_name:ldap
>: login_name:msnt
>: login_name:snk
>: login_name:securid
>: login_name:safeword
>: login_name:radius
Tip: You only need to enter the first three characters for the name of the authentication
method. For example, the following specifies minimum characters needed for each
method:
lda LDAP
msn Windows Domain
pas password
snk SNK
sec SecurID
saf SafeWord
rad Radius
Note: The Default Method drop-down list in the Authentication tab of the Rule window
selects the authentication method the Sidewinder G2 uses when the user does not specify
an authentication method during log in.
After you enable an authentication method for a specific proxy rule,
users will have to enter the information required by that method
whenever they try to utilize a service associated with that rule.
Note: For standard password authentication, you should inform those users how they
can change their own log in password from their terminal or workstation using a Web
browser such as Netscape or Internet Explorer. See “How users can change their own
password” on page 9-36.
Special authentication notes
This section provides some special considerations that users should
be made aware of regarding Telnet and FTP authenticated
connections through the Sidewinder G2.
Setting Up Authentication 9-31

Setting up authentication for Web sessions
Setting up
authentication for
Web sessions
9-32 Setting Up Authentication
Changing user passwords and PINs for authentication methods
The Sidewinder G2 supports changing user passwords and PINs
only under the Telnet proxy. For example, users can change their
DSS password or their SafeWord PremierAccess PIN via the Telnet
proxy. (Refer to the documentation for your authentication method
for information on the commands used to change passwords and
PINs.) Passwords and PINs cannot be changed using the FTP, Web,
or SOCKS5, proxy. The user must either initiate a Telnet proxy session
or they can contact their system administrator.
Switching authentication methods during a log in session
The Sidewinder G2 allows you to use multiple authentication
methods for a given service (for example, users might use either
SafeWord PremierAccess or SecurID for Telnet authentication).
When logging on, if a user specifies the incorrect authentication
method and authenticator, they cannot then specify a different
authentication method. The Sidewinder G2 does not support
changing warders in the middle of a session, so the user must
close the session with the incorrect authentication warder and start
a new session specifying the correct authentication warder.
Sessions through SNK hang if a user ID is not entered before the
connection times out
If you are using SecureNet Key (SNK) for authentication, and a
connection times out before a Telnet or FTP user enters a user ID,
the challenge or password prompts are not sent and the session
hangs. Users can escape from a Telnet session and get a new
prompt by simultaneously pressing the Control and end bracket (])
keys. For FTP sessions, the process must be terminated.
You can require users to enter a password before they are allowed
Web access. To do so requires that the user access the Web using
either the Web proxy server or the HTTP proxy, both of which can
authenticate using either fixed or one-time passwords, but cannot use
a challenge/response form of authentication.
Follow these steps to set up Web authentication.
1. Ensure that the authentication method you want to use is configured
and enabled. See “Configuring authentication services” on page 9-11.

Setting up
authentication for
administrators
Setting up authentication for administrators
2. Ensure that the Web proxy server or HTTP proxy is configured, enabled,
and is using the proper authentication method.
To enable and configure the Web proxy server, see “Configuring
the Web proxy server” on page 12-12.
To enable and configure the HTTP proxy, see “Configuring proxy
properties” on page 8-28.
3. Add or modify proxy rules as needed. You must create one or more
rules that define Web access between two burbs on your Sidewinder
G2.
Note: When using standard password authentication, you may want to allow users
to change their own log in password from their terminal or workstation. See
“Allowing users to change their passwords” on page 9-34.
By default, all administrators who log in to the Sidewinder G2 are
authenticated using standard password authentication. You can
configure the Sidewinder G2 to require a stronger authentication for
administrator log in methods. To do so, see “Setting up authentication
for services” on page 9-30 to modify the appropriate proxy rule(s). For
example, if your Sidewinder G2 was installed with the Standard
Internet set of services you might modify the login_console proxy rule.
When an administrator replies to a login: prompt during a console
or Telnet connection request, they can chose the authentication
method the Sidewinder G2 should use. For example:
>login: login_name:-password
>login: login_name:-ldap
>login: login_name:-msnt
>login: login_name:-snk
>login: login_name:-securid
>login: login_name:-safeword
>login: login_name:-radius
Note that this is similar to the response entered by your Telnet, FTP,
SOCKS5, and Web users (see “Setting up authentication for services”
on page 9-30), except that a dash (-) must precede the name of the
authentication method. Shortcuts cannot be used; you must enter the
entire name.
Setting Up Authentication 9-33

Allowing users to change their passwords
Allowing users to
change their
passwords
9-34 Setting Up Authentication
The Sidewinder G2 changepw server allows external users to use a
Web browser to change their Sidewinder G2, SafeWord
PremierAccess, or LDAP login password. The changepw server runs
on the firewall burb, and communicates with other burbs via a proxy.
To allow this process to occur, do the following:
Note: As an administrator, you should inform users how they can change their own
password. See “How users can change their own password” on page 9-36.
1. Enable the changepw server, as follows:
a. In the Admin Console, select Services Configuration -> Servers, and
select changepw from the Servers list.
b. Enable the changepw server by selecting the Enable radio button.
(To disable the server, select the Disable radio button.)
c. Click the Save icon in the upper left portion of the window to save
your changes.
2. Create a changepw-form proxy rule and ensure that it is included in the
active proxy rule group. Table 7-2 summarizes the key settings for this
proxy rule. Refer to “Creating proxy rules” on page 7-4 for details on
using the Admin Console to create a proxy rule.
Note: Before creating the proxy rule, you may need to create the network objects
that will be specified in the Destination and Redirect Host fields. In particular, make
sure the network object representing the localhost address of the firewall burb
(127.0.0.1) is created.

Allowing users to change their passwords
Table 9-3. Proxy rule settings to allow users to change their log in passwords
Criteria Setting
Proxy Name: burbname_changeform
Service Type: Proxy
Service: changepw-form
Action: Allow
Src Burb: Desired burb (for example Internet)
Dst Burb: Desired burb (for example Internet)
Source: Site dependent
Destination: Network object for the IP address of the desired burb
Redirect Host: localhost
User Groups: Site Dependent
Authentication: None
3. Enable the changepw_form proxy for the necessary burb(s).
a. Start the Admin Console and select Services Configuration ->
Proxies. The Proxies window appears.
b. Select the changepw_form proxy from the list of proxy names and
enable it for the desired burbs.
c. Click the Save icon in the toolbar to save your changes.
4. (Optional: Web proxy only) Update the ERR_SCC_EXPIRED_PASSWORD
file on the Sidewinder G2 by doing the following:
a. Change to the /usr/local/squid/etc/errors directory by entering the
following command.
cd /usr/local/squid/etc/errors
b. Create a backup copy of the ERR_SCC_EXPIRED_PASSWORD file.
cp ERR_SCC_EXPIRED_PASSWORD
ERR_SCC_EXPIRED_PASSWORD.orig
Setting Up Authentication 9-35

How users can change their own password
How users can
change their own
password
9-36 Setting Up Authentication
c. Modify the contents of the ERR_SCC_EXPIRED_PASSWORD file as
instructed in the file, for example:
delete the line “Please follow the instructions your administrator
has give you to change your Web proxy password.”
delete the “

. Select Manual Proxy Configuration.
How users can change their own password
c. In the No Proxy For field, type the URL for the Sidewinder G2 (for
example, G2name.xyz.com.
d. Click OK to save the information and exit.
3. Open an HTTP connection to the Sidewinder G2. For example:
http://mysidewinder.abc.com:1999/
A pre-defined HTML change password form appears.
4. Enter your username.
5. Enter your current password. This is your current password for
establishing network connections.
6. Enter your new password. This will be your new password for
establishing network connections.
7. Re-enter the new password. This confirms the spelling of the new
password.
8. Select one of the following password types:
If you are changing a Sidewinder G2 login password, select
Password.
If you are changing a SafeWord PremierAccess login password,
select SafeWord.
If you are changing an LDAP password, select LDAP.
9. Click Send Request.
This sends the change password request to the Sidewinder G2. You will
be notified if the request failed or if it is accepted. If the request is
accepted, the password database is updated and the new password
must be used for all future connections.
Setting Up Authentication 9-37

How users can change their own password
9-38 Setting Up Authentication

C HAPTER 10
Domain Name System (DNS)
About this chapter This chapter describes how the Sidewinder G2 functions as a name
server for your site. The chapter contains the following topics:
“What is DNS?” on page 10-1
“About mail exchanger records” on page 10-4
“Configuring the internal network to use hosted DNS” on page 10-
5
“Enabling and disabling your DNS server(s)” on page 10-6
“Advanced configurations” on page 10-8
“Managing your current DNS configuration” on page 10-9
“Configuring transparent name servers” on page 10-9
“Configuring hosted DNS servers” on page 10-11
“Reconfiguring DNS” on page 10-29
“Manually editing DNS configuration files” on page 10-35
“DNS message logging” on page 10-36
What is DNS? The domain name system (DNS) is a service that translates host names
to IP addresses, and vice versa. DNS is necessary because while
computers use a numeric addressing scheme to communicate with
each other, most individuals prefer to address computers by name.
DNS acts as the translator, matching computer names with their IP
addresses.
Much of the traffic that flows into and out of your organization must
at some point reference a DNS server. In many organizations this
server resides on a separate, unsecured computer. The Sidewinder G2
provides the additional option to host the DNS server directly on the
Sidewinder G2, eliminating the need for an additional computer.
10
Domain Name System (DNS) 10-1

10
What is DNS?
10-2 Domain Name System (DNS)
The Sidewinder G2 offers two main DNS configurations: Transparent
DNS and Sidewinder-hosted DNS. The sections below explain each
configuration method.
Note: An excellent source of information on DNS is the Internet Software Consortium
Web site at www.isc.org. Some background information is also provided in the
Sidewinder G2 installation documentation. The book DNS and BIND, by Albitz & Liu
(O’Reilly & Associates, Inc.) is also a popular reference.
About transparent DNS
Transparent DNS represents a simplified DNS configuration. When
transparent DNS is configured for the Sidewinder G2, DNS traffic
passes transparently through the Sidewinder G2 using a proxy. The
Sidewinder G2 uses proxy rules that pass all DNS traffic by proxy to
its appropriate burb. DNS requests are then handled by the remote
servers. Other machines do not “see” the Sidewinder G2, which
means there is minimal disruption to your current DNS configurations
throughout your network.
Configuring transparent DNS requires specifying the IP address of one
or more remote DNS servers. (Alternative server addresses may be
used for redundancy.) If a customer is using NAT through the
Sidewinder G2, they should also have an additional DNS server on the
outside of their network. The external DNS server handles the
external zones of your network and its addresses. This configuration
allows you to control which addresses are visible to the outside
world.
Note: Transparent DNS is designed for simple DNS configurations. Complex DNS
configurations may require DNS services to be hosted directly on the Sidewinder G2.
About Sidewinder hosted DNS
Sidewinder hosted DNS represents a more complex DNS
configuration that utilizes the integrated Sidewinder G2 DNS server.
When configured for hosted services, DNS servers run directly on the
Sidewinder G2. This places the DNS server(s) on a hardened
operating system, preventing attacks against these servers from
penetrating your network.

What is DNS?
In a hosted DNS configuration, the Sidewinder G2 requires
information about your DNS authority. Generally, there should be
only one "master" name server for any fully-qualified domain, (such as
nyc.bigbiz.com) also called a “zone”. There may be many "slave"
servers, for redundancy and better performance, but they derive their
information from the one master for each domain.
You can configure Sidewinder hosted DNS to use a single server or
split servers as follows:
Hosted single server DNS—In a Sidewinder hosted single server
configuration, one DNS server is hosted on the Sidewinder G2 and
handles all DNS queries. The server is protected by the Sidewinder
G2 hardened OS, preventing attacks from penetrating your
network. A single server configuration is generally used when you
have no concerns for keeping your internal network architecture
hidden, such as when your Sidewinder G2 is acting as an
“intrawall” between two sets of private addresses. External hosts
will need to be reconfigured to point to the Sidewinder G2 servers.
Hosted split server DNS—In a Sidewinder hosted split server
configuration, two DNS servers are hosted on the Sidewinder G2:
one server (the external name server) is bound to the external
burb and the other server (the "unbound" name server) is available
for use by all internal burbs. Both servers are protected by the
Sidewinder G2 hardened OS, which is able to prevent attacks
against them from penetrating your network.
The security benefit of using a Sidewinder hosted configuration is
the ability to hide the DNS entries on the unbound server from
those who only have access to the external burb. External hosts
will need to be reconfigured to point to the Sidewinder G2 servers.
Important: You must use hosted split DNS if you want the Sidewinder G2 to hide your
private IP addresses (via Network Address Translation).
Note: Secure Computing recommends splitting the Sidewinder G2 DNS servers when
using hosted DNS.
Domain Name System (DNS) 10-3

About mail exchanger records
About mail
exchanger records
10-4 Domain Name System (DNS)
Listed below are some additional points about running DNS on your
Sidewinder G2:
Sidewinder G2 uses Berkeley Internet Name Domain (BIND 9).
The boot files for the unbound and the Internet name servers are
/etc/named.conf.u and /etc/named.conf.i, respectively. The boot
files specify corresponding directories: /etc/namedb.u and
/etc/namedb.i. When you boot your Sidewinder G2, the name
server daemon (named) is started. The /etc/named.conf.u and
/etc/named.conf.i files specify whether the Sidewinder G2 is a
master or a slave name server and list the names of the files that
contain the DNS database records.
If you choose to configure the Sidewinder G2 as a master name
server on either the unbound (internal) or Internet (external) side,
you can modify the /etc/namedb.u/domain-name.db and
/etc/namedb.i/domain-name.db files (where domain-name = your
site’s domain name). You can add the default information that is
being advertised for these zones.
The Sidewinder G2 contains a non-blocking DNS resolver to
support reverse IP address look-ups in the active proxy rule group,
and name-to-address look-ups in the http proxy. The relevant
resolver library calls are gethostbyname() and gethostbyaddr(). The
non-blocking DNS resolver provides a small number of DNS
resolver daemons (nbresd) that are handed queries to resolve on
behalf of the client.
When you set up Sidewinder hosted DNS services for your site, you
need to create mail exchanger (MX) records. MX records advertise
that you are accepting mail for a specific domain(s). If you do not
create an MX record for your domain, name servers and users on the
Internet will not know how to send e-mail to you. When an e-mail
message is sent from a site on the Internet, a DNS query is made in
order to find the correct mail exchange (MX) host for the destination
domain. The sender’s mail process then sends the e-mail to the MX
host. The Sidewinder G2, through the use of mailertables, will forward
the mail to the internal mail process, which in turn will forward it to
the internal mail host. See “Editing the mail configuration files” on
page 11-10 for more information on mailertables.

Figure 10-1. Mail
exchanger example
Configuring the
internal network
to use hosted DNS
Configuring the internal network to use hosted DNS
Consider the example shown in Figure 10-1. Someone in the Internet,
Lloyd, wants to send one of your users, Sharon, an e-mail message,
but all Lloyd knows is Sharon’s e-mail address: sharon@foo.com. The
mailer at Lloyd’s site uses DNS to find the MX record of foo.com.
Lloyd’s message for Sharon is then sent to the mailhost listed in the
MX record for Sharon’s site.
Lloyd
(Request)
MX record
request
(Response)
e-mail message for
sharon@foo.com
name server for foo.com
MX record*
for foo.com
Sidewinder G2
fw.foo.com
* MX record for foo.com
fw.foo.com
A master name server stores and controls your site’s MX records. The
master name server may be in the external burb of your Sidewinder
G2, or on a host outside of your network (for example, your Internet
service provider). If your Sidewinder G2 controls the master name
server, then you can make any necessary changes to your MX records;
if another host controls your master name server, then changes have
to be made on that host. For more information on MX records see
Chapter 5 of DNS and Bind by Albitz & Liu.
For information on creating MX records using the Admin Console, see
“Using the Master Zone Attributes tab” on page 10-20.
If you are going to use transparent proxies to provide Internet
services to your internal users, the internal client workstations must
send their name server queries to the Sidewinder G2 or to other
internal name servers that forward unresolved host names to the
Sidewinder G2. There are two ways to set this up:
Domain Name System (DNS) 10-5

Enabling and disabling your DNS server(s)
Enabling and
disabling your
DNS server(s)
10-6 Domain Name System (DNS)
Reference the Sidewinder G2 in any name resolution configuration
that the client workstation may have. For example, a UNIX system
uses the /etc/resolv.conf file to list the name servers that system
should query. A name server reference for the Sidewinder G2 is all
that is needed.
Point client workstations at one or more internal name servers.
These name servers should be authoritative for the internal domain
and configured as slave forwarders, with the Sidewinder G2 as the
forwarding destination.
This section describes how to determine the number of DNS servers
currently in use. It also describes how to use the Admin Console to
enable or disable the individual DNS servers.
Using master and slave servers in your network
Typically, a company will use two or more DNS servers to provide
domain name service to their customers. This provides for load
balancing and redundancy. When more than one DNS server is used,
the local administrator designates one DNS server to host the "master"
zone files. The other DNS servers are slave servers that merely retrieve
copies of the zone files from the master server. To outside users there
is no indication or need to know about which of the multiple servers
is the master. They all provide equally authoritative answers to all
queries. The designation of which DNS server will be the master is
only significant to the DNS administrator, because changes are made
only at the master DNS server and not at the individual slave servers.
Important: When DNS servers in an HA cluster, Secure Computing recommends
configuring the Sidewinder G2 name servers as DNS slaves for authoritative zones. This
allows the Master DNS servers to update both Sidewinder G2s in the HA cluster. If you do
not configure the Sidewinder G2 name servers as DNS slaves for authoritative zones, DNS
changes will not be made to the secondary Sidewinder G2 unless it is rebooted.

Enabling and disabling your DNS server(s)
Determining the number of DNS servers currently
defined on Sidewinder G2
When you initially configured your Sidewinder G2 using the
Configuration Wizard, you defined the number of DNS servers to use
with your system. You can use the Admin Console to display the
number of servers currently defined on your Sidewinder G2. Select
Services Configuration -> Servers. If the named-internet server appears
in the Server Name field it means there are two DNS servers (split
DNS). If the named-internet server does not appear it means there is
only one DNS server (single DNS). To modify the number of DNS
servers you must use the Reconfigure DNS window. See
“Reconfiguring DNS” on page 10-29 for information.
Enabling and disabling hosted DNS servers
When you configure Sidewinder hosted DNS services, the Sidewinder
G2 will use either one or two DNS servers. The DNS server(s) start
automatically when you boot the Sidewinder G2. If you need to
manually enable or disable a DNS server, follow the steps in this
section.
Keep the following points in mind, however, if you decide to disable
a Sidewinder hosted DNS server.
If you have one DNS server
In this situation the server is known as an unbound DNS server. If
you disable the DNS server, only connections that use IP addresses
will still work; those that use host names will not.
If you have two DNS servers
This situation is also known as split DNS mode. Note the following:
— If you disable the Unbound DNS server, connections that use
IP addresses will still work; those that use host names will not.
— If you disable the Internet server, external connections that
require host names will not work unless the name is already
cached (saved) in the unbound name server’s database.
Connections that use IP addresses will work. E-mail will be
placed in a queue since IP addresses cannot be resolved.
Domain Name System (DNS) 10-7

Advanced configurations
Advanced
configurations
10-8 Domain Name System (DNS)
— If you disable both name servers, connections will work only
if they use IP addresses rather than host names. Also, mail will
not work and other errors will happen as other parts of the
system attempt to access the network by name.
In either case, once you disable a server the server will remain disabled
until you enable it again.
Note: See “Activating the Sidewinder G2 license” on page 3-19 for information on
enabling and disabling servers.
Note: The following information applies only if you have a DNS server configured on the
Sidewinder G2.
If your site has multiple internal domains, and there are name servers
for each of these domains, the Sidewinder G2 must be designated as
an authoritative name server for all of the internal domains (the
internal name servers also may be authoritative for one or more of the
internal domains). This must occur regardless of whether the
Sidewinder G2 is a master or a slave name server. The Sidewinder G2
must be an authoritative name server for all internal domains so that it
can resolve queries for the internal domains. The Sidewinder G2 will
otherwise automatically forward these internal name queries to the
Internet, and the query will not be resolved.
Note: In split DNS mode, if a DNS name occurs in the database of both servers, the name
will resolve differently depending on the server that is queried. This occurs when the
Sidewinder G2 is authoritative for the same domain both internally and externally.
Because of this issue, if you try to access the Internet side of the Sidewinder G2 from an
internal workstation you must use the appropriate machine name. For example, if the
name of your Sidewinder G2 is “chloe,” then use the machine name “chloe-Internet.” This
entry is automatically created during installation. For more information on DNS see DNS
and BIND by Albitz & Liu, 3rd edition (O’Reilly).

Managing your
current DNS
configuration
Configuring
transparent name
servers
Managing your current DNS configuration
You initially configure your DNS servers during the installation
process. If you want to make changes to your existing DNS
configuration, you can use one of two methods:
Admin Console—Using the Admin Console, you can do the
following:
— Configure DNS servers via Services Configuration -> DNS. The
DNS server window enables you to configure the basic DNS
settings as well as configure many advanced options. See
“Configuring transparent name servers” on page 10-9 for
details.
— Completely reconfigure your DNS settings (for example,
change from transparent to Sidewinder hosted or vice versa)
via Tools -> Reconfigure DNS. See “Reconfiguring DNS” on page
10-29 for details.
Note: Using the Admin Console to modify your DNS configuration will remove any
comments you may have manually inserted into the DNS configuration files.
Manual—You can also manually edit the DNS configuration files.
This should only be attempted by highly skilled DNS
administrators. See “Manually editing DNS configuration files” on
page 10-35 for details.
The sections that follow provide information on each method.
If you have configured DNS to use transparent services, you can add,
modify, or delete transparent name servers. In the Admin Console,
select Services Configuration -> DNS. The Transparent DNS Configuration
window appears.
Note: If you want to completely reconfigure your existing DNS configuration (for
example, change from transparent DNS to Sidewinder hosted DNS or vice versa), you must
use the Reconfigure DNS window. See “Reconfiguring DNS” on page 10-29 for details.
Domain Name System (DNS) 10-9

Configuring transparent name servers
Figure 10-2. Transparent
DNS Configuration
window
About the Transparent DNS
Configuration window
Figure 10-3. Transparent
New/Modify Nameserver
window
About the New/Modify
Nameserver window
10-10 Domain Name System (DNS)
This window allows you to configure name servers for transparent
DNS services. You can specify the burb to which the name servers
will be assigned from the Burb drop-down list.
To delete a name server, highlight the name server and click Delete.
Note: To scroll through the list of nameservers, click the Up and Down buttons as
appropriate.
To add a new name server to the list, click New. To modify a name
server, highlight the name server and click Modify. The Transparent:
New/Modify Nameserver window appears.
This window allows you to add a new name server to the list of name
servers configured for transparent services. Type the IP address for
the name server you want to add or modify in the Nameserver IP
Address field, and click OK to add the name server to the list.

Configuring
hosted DNS
servers
Figure 10-4. Sidewinder
Hosted DNS window
About the Sidewinder
hosted DNS window
Configuring hosted DNS servers
If you have configured DNS to use Sidewinder hosted services (single
or split), you can define various name server information. In the
Admin Console, select Services Configuration -> DNS. The DNS window
contains four tabs that allow you to define specific name server
information.
Note: If you want to completely reconfigure your existing DNS configuration (for
example, change from transparent DNS to Sidewinder hosted DNS or vice versa), you must
use the Reconfigure DNS window. See “Reconfiguring DNS” on page 10-29 for details.
This window allows you to configure your Sidewinder hosted DNS
server(s). It contains the following tabs.
The Server Configuration tab is used to configure general
information about a name server. See “Configuring the Server
Configuration tab” on page 10-12 for details.
The Zones tab defines each of the master and slave zones
associated with the selected name server. See “Configuring the
Zones tab” on page 10-16 for details.
The Master Zone Attributes tab is used to configure attributes for
each master zone defined on the Zones tab. See “Using the Master
Zone Attributes tab” on page 10-20 for details.
The Master Zone Contents tab defines the hosts associated with each
master zone defined on the Zones tab. See “Using the Master Zone
Contents tab” on page 10-25 for details.
Domain Name System (DNS) 10-11

Configuring hosted DNS servers
Figure 10-5. DNS objects
and the tab used to
configure each object
10-12 Domain Name System (DNS)
Figure 10-5 illustrates the different DNS objects you can configure,
how they relate to each other, and which tab is used to configure
each object.
DNS Object
Name server Zones (consists of
forward and reverse
lookups)
Where Defined
DNS Object
Where Defined
Configuring the Server Configuration tab
DNS Object
Individual hosts
within each zone
Where Defined
Server Configuration tab Zones tab Master Zone Attributes
tab and Master Zone
Contents tab
Name
Server
Zone
Zone
Zone
Zone
The Server Configuration tab is used to define configuration settings for
the selected name server. When you select the Server Configuration tab
a window similar to the following appears.

Figure 10-6. DNS Server
Configuration tab
About the Server
Configuration tab
Configuring hosted DNS servers
This window allows you to define alternate name servers that will be
contacted if a query cannot be resolved by the selected name server.
The alternate name servers are called forwarders. This window is also
used to define advanced configuration settings for the name server. To
modify the Server Configuration tab, follow the steps below.
Note: To completely reconfigure your DNS settings (for example, change from Sidewinder
hosted single server to split server), click Reconfigure DNS.
1. In the Modify Server For field, select the name server that you want to
modify.
Note: The File Directory displays the name and location of the files used to store
information about this server. This field cannot be modified.
2. In the Do Forwarding field, specify whether the name server will forward
unresolvable queries to another name server. In a split DNS
configuration, when modifying the unbound name server this field will
default to Yes and will forward unresolved queries to the Internet server
(127.x.0.1, where x = the external [or Internet] burb number).
3. In the Forward Only field, specify whether the name server will
immediately forward an unresolvable query to the names servers listed
in the Forward To list. If you select No, the name server will attempt to
contact the root server to resolve the query before contacting one of
the alternate name servers. The default value is Yes.
Domain Name System (DNS) 10-13

Configuring hosted DNS servers
Entering information on the
Forwarding IP Address
window
10-14 Domain Name System (DNS)
4. In the Forward To field, specify the alternate name servers that will be
used when attempting to resolve a query. This list is consulted only if
Yes is selected in the Do Forwarding field. If multiple name servers are
defined, the names servers are consulted in the order listed until the
query is resolved. In a split DNS configuration, when modifying the
unbound name server this list will by default contain four entries for
Internet name servers (127.x.0.1, where x = the external [or Internet]
burb number).
Important: If you are using a split DNS configuration, Secure Computing strongly
recommends against defining additional alternate name servers for the unbound
name server. The Internet (or external) name server should be the only alternate
name server defined in this situation.
5. To add another entry to the list of authorized name servers, click New
under the Forward To list. See “Entering information on the Forwarding
IP Address window” on page 10-14 for information on adding a new
entry.
Note: To delete a name server from the Forward To list, highlight the name server
you want to delete and click Delete.
6. [Conditional] To modify an advanced configuration setting for the name
server, click Advanced. For more information on modifying the
Advanced Server Options window, see “Entering information on the
Advanced Server Options window” on page 10-15.
Important: Only experienced DNS administrators should modify an advanced
configuration setting.
7. Click the Save icon in the toolbar to save your changes. To configure
additional name server information, see “About the Zones tab” on page
10-17.
This window is used to add an entry to the list of alternate name
servers. The alternate name servers are consulted if the primary name
server cannot resolve a query. Follow the steps below.
1. In the Forward to IP Address field, type the IP address of the alternate
name server. Use the standard quad notation when typing the IP
address (for example, 1.1.1.1).
2. Click Add to save the specified IP address to the list of alternate name
servers.
3. When you are finished adding alternate name servers, click Close.

Entering information on the
Advanced Server Options
window
Configuring hosted DNS servers
The Advanced Server Options window is used to define some of the
more advanced DNS name server options. Do not change these
options unless you are an experienced DNS system administrator.
Important: By default the options on this window are disabled, meaning there are no
restrictions. If your organization considers this to be a security risk you should use these
options to limit the amount of interaction this name server has with other devices. Use
your organization’s security policy as a guide.
To modify advanced server options, follow the steps below.
1. To enable the notify option, select the corresponding check box.
Enabling this option allows you to specify whether the master server
will notify all slave servers when a zone file changes. The notification
indicates to the slaves that the contents of the master have changed
and a zone transfer is necessary. If this field is not enabled (selected), the
field defaults to Yes.
2. To enable the check-names option, select the corresponding check box.
Enabling this option allows you to define how the name server will treat
queries that contain non-standard host names (for example, names
with underscores). You can define a different response for each role the
name server can assume.
Master—Select this option if the name server is a master server.
Slave—Select this option if the name server is a slave server.
Response—Select this option if the name server is responding to a
query using information it has received from another DNS server.
For each of these roles you can define three different actions:
warn—Select this option if the query contains a name error,
provides a response to the query, but logs a warning message.
fail—Select this option if the query contains a name error, and
returns an error response.
ignore—Select this option if the query contains a name error,
ignores the name error, and provides a response to the query
normally. For example, you should enable this option if you want
the name server to accept queries from hosts that contain
underscores in their name.
The default values for the check-names field are as follows:
For Master, the default is fail.
For Slave, the default is warn.
For Response, the default is ignore.
Domain Name System (DNS) 10-15

Configuring hosted DNS servers
10-16 Domain Name System (DNS)
3. To enable the allow-query option, select the corresponding check box.
Enabling this option allows you to limit who is able to query this name
server. If enabled, only the requesters defined in the allow-query list will
be authorized to query this name server. Use the New and Delete
buttons to modify this list. See “Adding an IP address” on page 10-16 for
details on using the New button.
By default the allow-query option is not enabled, meaning all requesters
are authorized to query the name server.
4. To enable the allow-transfer option, select the corresponding check
box. Enabling this option allows you to limit who is authorized to
request zone file transfers from this name server. If enabled, the name
server will only transfer zone files to requesters defined in the allowtransfer
list. Use the New and Delete buttons to modify this list. See
“Adding an IP address” on page 10-16 for details.
By default the allow-transfer option is not enabled, meaning the name
server will transfer zone files to all requesters.
5. Click OK to save your changes.
Adding an IP address This window is used to add a new IP address to the selected list in the
Advanced Server Options window. To add a new IP address, type the
IP address of the name server you want to add in the IP Address field.
Click Add and then click Close to add the specified IP address to the
name server list.
Configuring the Zones tab
A DNS server is responsible for serving one or more zones. A zone is
a distinct portion of the domain name space. A zone consists of a
domain or a subdomain (for example, securecomputing.com or
sales.securecomputing.com). Each DNS server can be configured as
either a master name server or a slave name server for a zone.
When you select the Zones tab, a window similar to the following
appears.

Figure 10-7. DNS Zones
window
Configuring hosted DNS servers
About the Zones tab This tab is used to define zone information about the name server.
Follow the steps below.
Note: To completely reconfigure your DNS settings (for example, change from Sidewinder
hosted single server to split server), click Reconfigure DNS.
1. In the Modify Server For field, select the name server that you want to
modify.
2. The Zones list defines the zones for which the name server is
authoritative. This list initially contains a zone entry for each domain and
each network interface defined to the Sidewinder G2. You can add or
delete zone entries as follows:
To add a new zone to the list, click New and see “About the Zone
List window” on page 10-19 for details.
To delete a zone, highlight a zone and click Delete.
Secure Computing strongly recommends against deleting or modifying
the following entries:
Any 127 reverse zones (for example, 0.1.127.in-addr.arpa). These
zones represent local loopback addresses and are required.
The zone with 192.239 in its name. This zone provides multicast
support for the Sidewinder G2 failover feature.
Domain Name System (DNS) 10-17

Configuring hosted DNS servers
10-18 Domain Name System (DNS)
There can be two different types of entries in the Zone list:
Reverse zones (for example, 4.3.in-addr.arpa): This format indicates
the entry provides reverse lookup functions for this zone.
Forward zones (for example, bizco.net): This format indicates the
entry provides forward lookup functions for this zone.
The Related Zones list displays the zones that are related to the selected
zone. For example, if a forward zone is selected, the related reverse
lookup zones are displayed. This list cannot be modified.
3. In the Zone Type field, specify whether the selected zone is a master
zone or a slave zone as follows:
Master—A master zone is a zone for which the name server is
authoritative. Many organizations define a master zone for each
sub-domain within the network. Administrators should only make
changes to zones defined as a master.
Important: You should consider defining a matching reverse zone (an
in-addr.arpa zone) for each master zone you configure.
Slave—A slave zone is a zone for which the name server is
authoritative. Unlike a master zone, however, the slave zone’s data
is periodically transferred from another name server that is also
authoritative for the zone (usually, the master). If you select Slave,
the Master Servers field becomes active. Be sure to use the Master
Servers field to define the name server that will provide zone
transfer information for this slave zone. Administrators should not
make changes to zones defined as a slave.
Caution:When changing a zone from slave to master, the Admin Console changes
the slave file into a master file and the file becomes the lookup manager for the zone.
The DNS server will have no problems understanding and using the new master file.
For large zones (class A or B), however, this file may become too complex to be
managed properly using the Admin Console. Secure Computing recommends either
leaving large zones as slaves on the Sidewinder G2 or manually modifying these files.
Forward—A forward zone allows you to configure forward
requests for a particular zone. To configure forward requests for a
zone, click New beneath the Forwarders list and add the
appropriate IP address.
4. In the Zone File Name field, specify the name of the file that is used to
store information about this zone. The file is located in the directory
specified in the File Directory field on the Server Configuration tab.
Secure Computing does not recommend changing this name.

About the Zone List
window
About the Advanced Zone
Configuration window
Configuring hosted DNS servers
5. The Master Servers list defines one or more master name servers that
are authorized to transfer zone files to the slave zone. This field is only
active if a slave zone is selected in the list of Zones. You can add or
delete zone entries as follows:
To add a new master server to the list, click New and see “Adding
an IP address” on page 10-16 for details.
To delete a master server, highlight a server and click Delete.
6. [Conditional] To modify an advanced configuration setting for the
selected zone, click Advanced. For more information on modifying the
Advanced Server Options window, see “About the Advanced Zone
Configuration window” on page 10-19.
Important: Only experienced DNS administrators should modify an advanced
configuration setting.
7. Click the Save icon in the toolbar to save your changes. To configure
additional name server information, see “About the Zone List window”
on page 10-19.
This window is used to add a new zone entry. In the Zone Name field,
type the name of the forward or reverse zone you want to add to the
list. Click Add and then click Close to exit this window.
The Advanced Zone Configuration window is used to define some of
the more advanced zone configuration options. This window allows
you to configure certain options specifically for the selected zone,
overriding similar options that may be configured for the global name
server (the Unbound or the Internet name server). Follow the steps
below.
Important: Only experienced DNS administrators should modify an advanced
configuration setting.
1. To enable the check-names option, select the corresponding check box.
Enabling this option allows you to determine how the zone will treat
queries that contain non-standard host names (for example, names
with underscores). You can define one of three different actions:
warn—If the query contains a name error, provides a response to
the query, but logs a warning message
fail—If the query contains a name error, an error response is
returned
ignore—If the query contains a name error, the name error is
ignored and a response to the query is provided normally. For
example, you should enable this option if you want the zone to
accept queries from hosts that contain underscores in their name.
Domain Name System (DNS) 10-19

Configuring hosted DNS servers
10-20 Domain Name System (DNS)
1. To enable the notify option, select the corresponding check box.
Enabling this option allows you to specify whether the master server
will notify all slave servers when a zone file changes. The notification
indicates to the slaves that the contents of the master have changed
and a zone transfer is necessary. The name servers that are notified are
those defined in the Zone NS Records field on the Master Zone
Attributes tab. If this field is not enabled the field defaults to Yes.
2. To enable the allow-update option, select the corresponding check box.
Enabling this option allows you to specify from whom the zone will
accept dynamic DNS updates. If this option is enabled, only the hosts in
the allow-update list are authorized to update this zone. This option is
only valid for master zones. Use the New and Delete buttons to modify
this list. See “Adding an IP address” on page 10-16 for details on using
the New button.
By default the allow-update option is not enabled, meaning the zone
will deny zone files from all hosts.
3. To enable the allow-transfer option, select the corresponding check
box. Enabling this option allows you to limit who is authorized to
request a zone transfer for this zone. If this option is enabled, the name
server will only transfer zone files to requesters defined in the allowtransfer
list. Use the New and Delete buttons to modify this list. See
“Adding an IP address” on page 10-16 for details.
By default the allow-transfer option is not enabled, meaning the zone
will transfer zone files to all requesters.
Using the Master Zone Attributes tab
The Master Zone Attributes tab is used to configure attributes for each
master zone defined on the Zones tab. Slave zones are not included
on this tab because you can only define attributes for those zones for
which you are the master.
When you select the Master Zone Attributes tab a window similar to the
following appears.

Figure 10-8. Master Zone
Attributes tab
About the Master Zone
Attributes tab
Configuring hosted DNS servers
This window is used to define the attributes of each master zone
defined for the selected name server. In particular, it defines the Name
Server record(s) and the Start of Authority (SOA) record for each
master zone. The window also enables you to define Mail Exchanger
(MX) records for those entries that are forward lookup zones. Follow
the steps below.
Note: To completely reconfigure your DNS settings (for example, change from Sidewinder
hosted single server to split server), click Reconfigure DNS.
1. In the Modify Server For field, select the name server that you want to
modify.
The Master Zones list defines the zones for which the name server is
master. A plus sign (+) will appear in front of any forward lookup zone
that contains one or more sub-domains. Click on the plus sign to view
the sub-domains.
To modify an entry in the list, click on the entry name. A menu of
options used to characterize the selected entry is presented on the
right side of the window.
Note: The Forward Zone Name/Reverse Zone Name field displays the full zone
name associated with the entry selected in the Master Zones list.
2. To modify the Zone SOA tab, click on the tab and follow the sub-steps
below. The fields on the Zone SOA tab collectively define one Start Of
Authority (SOA) record. An SOA record controls how master and slave
zones interoperate.
Domain Name System (DNS) 10-21

Configuring hosted DNS servers
10-22 Domain Name System (DNS)
The DNS Serial # field displays the revision number of this SOA record.
This field will increment by one each time you modify this zone. Slave
zones use this field to determine if their zone files are out-of-date. You
cannot modify this field. (See sub-step b for more details.)
a. In the DNS Contact field, specify the name of the technical contact
that can answer questions about this zone. The name must be a
fully-qualified name, with the @ character replaced by a period (for
example, hostmaster.domain.com).
b. In the Refresh (seconds) field, specify how often a slave will check
this zone for new zone files. The slave uses the DNS Serial # value to
determine if its zone files need to be updated. For example, if the
slave’s DNS serial number is 4 and the master zone’s DNS serial
number is 5, the slave knows that its zone files are out-of-date and it
will download the updated zone files. Values must be positive
integers. The default value is 3600 (1 hour).
c. In the Retry (seconds) field, specify how long a slave should wait to
try another refresh following an unsuccessful refresh attempt. Values
must be positive integers.
d. In the Expiration (seconds) field, specify how long a slave can go
without updating its data before expiring its data. For example,
assume you set this value to 604800 (one week). If the slave is
unable to contact this master zone for one week, the slave’s resource
records will expire. Queries to the slave will then be treated as if that
DNS server is not authoritative for that domain (zone), resulting in a
recursive search or forwarding, depending on how the slave is
configured. Values must be positive integers.
e. In the TTL (seconds) field, specify the time to live (TTL) value. This
value defines how long a resource record from this zone can be
cached by another name server before it expires the record. The
value specified here is used as the default in records that do not
specify a TTL value. Values must be positive integers.
f. To add a sub-domain to the selected zone, click Add Sub. This
button is only available if a forward lookup zone is selected in the
Zones list. For information on adding a sub-domain, see “Adding a
forward lookup sub-domain” on page 10-23.
g. To delete a sub-domain from the selected zone, click Delete Sub.
This button is only available if a forward lookup zone is selected in
the Zones list. See “Deleting a forward lookup sub-domain” on page
10-24 for details.

Adding a forward lookup
sub-domain
Configuring hosted DNS servers
3. To modify the Zone Records tab, click on the tab. This tab contains NS
(Name Server) and MX (Mail Exchange) records for forward zones. This
tab contains only NS Records for reverse zones.
The Name Servers table contains DNS NS records that indicate what
machines will act as name servers for this zone. By default the table
contains an entry for the machine you are currently using. (To add or
delete an entry use the New or Delete buttons, respectively. See “Adding
an NS record” on page 10-24 for details on adding a new entry.)
If this zone is configured to notify all slave servers when a zone file
changes (see “About the Advanced Zone Configuration window” on
page 10-19 for a description of the notify field), the notify commands
are sent to all NS hosts specified here.
The Zone MX Records list is available only if the selected zone entry is a
forward lookup entry. It is used to specify entries in the Mail Exchangers
table for the selected zone. The Mail Exchangers table contains DNS MX
records that indicate what machines will act as mail routers (mail
exchangers) for the selected domain. To add or delete an MX record
entry use the New or Delete buttons, respectively. See “Adding an MX
record” on page 10-24 for details on adding a new MX record entry.
The Zone A Record field is available only if the selected zone entry is a
forward lookup entry. It defines a DNS A record (an Address record). A
DNS A record is used to map host names to IP addresses. The address
you specify must be entered using standard dotted quad notation (for
example 172.14.207.27).
4. Click the Save icon in the toolbar to save your changes. To configure
additional name server information, see “About the Master Zone
Attributes tab” on page 10-21.
This window is used to add a forward lookup sub-domain to the
selected forward lookup zone. By adding a sub-domain you are
delegating authority for a portion of the parent domain to the new
sub-domain. Follow the steps below.
1. In the Forward Sub-Domain Name field, type the name of the subdomain.
Do not type a fully qualified name. For example, assume you
have a domain named bizco.net that contains a sub-domain named
west. You would type west in this field rather than west.bizco.net.
Domain Name System (DNS) 10-23

Configuring hosted DNS servers
Deleting a forward lookup
sub-domain
10-24 Domain Name System (DNS)
2. In the Sub-Domain NS Records field, specify entries in the Name Servers
table for this sub-domain. The Name Servers table contains DNS NS
records that indicate what machines will act as name servers for this
sub-domain. To add or delete an entry use the New or Delete buttons,
respectively. See “Adding an NS record” on page 10-24 for details on
adding a new entry.
3. [Optional] In the Sub-Domain MX Records field, specify entries in the
Mail Exchangers table for this sub-domain. The Mail Exchangers table
contains DNS MX records that indicate what machines will act as mail
routers (mail exchangers) for the sub-domain. To add or delete an MX
record entry use the New or Delete buttons, respectively. See “Adding
an MX record” on page 10-24 for details on adding a new MX record
entry.
This window is used to delete a sub-domain from a forward lookup
zone. The Domains in Zone field lists the domains defined in the zone.
1. To delete a domain, highlight the domain you want to delete and click
Delete Domain.
2. Click OK to save your changes. (Click Cancel to exit the window without
saving your changes.)
Adding an NS record This window is used to add a new NS record to the Name Servers
table associated with the selected zone or sub-domain. Follow the
steps below.
1. In the NS Record field, type the domain name associated with this NS
record. The name must be a fully-qualified name and must end with a
period. The name you specify should be a pre-existing domain name
that maps to a valid IP address.
2. Click Add to add the specified entry to the Name Servers table.
3. Click Close to exit the window.
Adding an MX record This window is used to add a new MX record to the Name Servers
table associated with the selected zone, sub-domain, or host. Follow
the steps below.
Note: For more information on MX records, see “About mail exchanger records” on page
10-4.
1. In the MX record field, type the fully-qualified name of the host that will
act as the mail exchange for this zone, sub-domain, or host.

Figure 10-9. Master Zone
Contents tab
About the Master Zone
Contents tab
Configuring hosted DNS servers
2. In the Priority field, type a priority level for this record. Valid values are
1–65535. The lower the value, the higher the priority (for example, a
value of 1 will have a higher priority than a value of 10).
3. Click Add to save the new record.
4. Click Close to exit the window.
Using the Master Zone Contents tab
The Master Zone Contents tab is used to define the hosts that are
associated with each master zone.
When you select the Master Zone Contents tab a window similar to the
following appears.
Note: If you are adding a large number of hosts (hundreds or thousands) to a master
zone, you may want to consider manually adding the required host information directly to
the appropriate DNS files using one of the available editors on the Sidewinder G2 to save
time. However, only experienced Sidewinder G2 administrators should attempt this. (Using
the manual method will still require you to manually define each host.)
This window is used to define the hosts that are associated with each
master zone. For each host you define in a forward lookup zone you
should also create a matching entry in the associated reverse lookup
zone. Follow the steps below.
Domain Name System (DNS) 10-25

Configuring hosted DNS servers
10-26 Domain Name System (DNS)
Note: To completely reconfigure your DNS settings (for example, change from Sidewinder
hosted single server to split server), click Reconfigure DNS.
1. In the Modify Server For field, select the name server that you want to
modify.
Note: The fields that are available on this tab will vary depending on whether a
zone, a host in a forward lookup zone, or a host in a reverse lookup zone is selected.
2. [Conditional] If you are modifying a zone, do the following:
a. To add a host to the selected zone, click Add Entry. If you are adding
a host to a forward lookup zone, see “Adding a new forward lookup
entry” on page 10-27 for details. If you are adding a host to a reverse
lookup zone, see “Adding a new reverse lookup entry” on page 10-
28.
b. To delete a host from the selected zone, click Delete Entry. See
“Deleting a host entry from a zone” on page 10-28 for details.
3. [Conditional] If you are modifying a host in a reverse lookup zone, the
following two fields appear:
Name (Host portion of IP): This field appears only if a host is
selected in the list. The field displays the host portion of either the
IP address or of the fully-qualified domain name of this entry. You
cannot modify this field. If you need to change the host name you
must delete the entry from the list, then add the entry back using
the new name.
Fully-Qualified Domain Name: This field displays the domain name
of the host. You can modify this field by typing in a new value. Be
sure to type the fully-qualified domain name of the host.
Note: The Name field and the Fully-Qualified Name Entry field collectively define
a PTR Record for the selected reverse lookup zone. The PTR record is used in a Reverse
Addresses table and maps an IP address to a host name.
4. [Conditional] If a host in a forward lookup zone is selected, the following
fields appear:
Entry Name: This field defines the host portion of the fully-qualified
domain name of this entry.
A Record IP: This field defines a DNS A record (an Address record),
which is used to map host names to IP addresses. In this case the
field displays the IP address of the selected host. You can modify
this field by typing in a new value. The address you specify must be
entered using standard dotted quad notation (for example
172.14.207.27).

Adding a new forward
lookup entry
Configuring hosted DNS servers
CNAME Rec: This field defines a DNS CNAME record, which is used
to map an alias to its canonical name.The field, if populated,
displays the name of the Canonical Record of the selected host.
You can modify this field by typing in a new name. The name you
specify must be entered using the fully-qualified primary name of
the domain.
Important: A host in a forward lookup zone requires either an A Record or a
CNAME Record.
Entry MX Records: This field is used to specify entries in the Mail
Exchangers table for the selected host. The Mail Exchangers table
contains DNS MX records that indicate what machines will act as
mail routers (mail exchangers) for the selected host. To add or
delete an MX record entry use the New or Delete buttons,
respectively. See “Adding an MX record” on page 10-24 for details
on adding a new MX record entry.
HINFO-Type: This field provides information about a host’s
hardware type.
HINFO-OS: This field provides information about a host’s operating
system.
Important: For security reasons, many organizations elect not to use these fields.
5. Click the Save icon in the toolbar to save your changes.
This window is used to define a new host for a forward lookup zone.
Follow the steps below.
Note: The following fields collectively define an Address record.
1. In the Entry Name field, specify the host portion of the fully-qualified
domain name of this entry.
2. In the A Record IP field, specify a DNS A record (an Address record),
which is used to map host names to IP addresses. The address you
specify must be entered using standard dotted quad notation (for
example 172.14.207.27). This field and the CNAME Rec field are mutually
exclusive.
3. In the CNAME Rec field, specify a DNS CNAME record, which is used to
map an alias to its canonical name. The name you specify must be
entered using the fully-qualified primary name of the domain. This field
and the A Record IP field are mutually exclusive.
Domain Name System (DNS) 10-27

Configuring hosted DNS servers
Adding a new reverse
lookup entry
Deleting a host entry from a
zone
10-28 Domain Name System (DNS)
4. [Optional] The Entry MX Records field lists entries in the Mail Exchangers
table for this host. The Mail Exchangers table contains DNS MX records
that indicate what machines will act as mail exchangers for the host. To
add or delete an MX record entry use the New or Delete buttons,
respectively. See “Adding an MX record” on page 10-24 for details on
adding a new MX record entry.
5. [Conditional] The HINFO-Type: field provides information about a host’s
hardware type.
6. [Conditional] The HINFO-OS field provides information about a host’s
operating system.
Important: For security reasons, many organizations elect not to use these fields.
7. Click Add to save the new entry.
8. Click Close to exit this window.
This window is used to define a new host for a reverse lookup zone.
Follow the steps below.
1. In the Entry Name field, specify the host portion of the IP address of this
entry.
2. In the Fully-Qualified Name Entry field, specify the domain name of the
host. Be sure to type the fully-qualified domain name of the host.
Note: The Entry Name field and the Fully-Qualified Name Entry field collectively
define a PTR Record for the selected reverse lookup zone. The PTR record is used in a
Reverse Addresses table and maps an IP address to a host name.
3. Click Add to save the new entry.
4. Click Close to exit this window.
This window is used to delete a host from the selected zone. The
Hosts in Zone field lists all the hosts currently defined within the
selected zone. To delete a host, highlight the host you want to delete
and click Delete Host. You can only delete one host at a time. Click OK
to save your changes and exit the window. (To cancel your changes,
click Cancel.)

Reconfiguring
DNS
Reconfiguring DNS
The Reconfigure DNS window allows you to completely reconfigure
DNS on your Sidewinder G2. Changes made by the DNS configuration
utility take effect immediately. You do not need to reboot the
Sidewinder G2.
Table 10-1 summarizes the available DNS configuration options. (For
more detailed information on determining which DNS configuration
best suits your situation, refer to the Sidewinder G2 Perimeter Security
Planning Guide.)
Note: Any active DNS servers on the Sidewinder G2 will be disabled during the
reconfiguration process.
Important: Any prior modifications you have made to your DNS configuration will be
lost when you save your changes. You will need to re-apply the modifications.
Domain Name System (DNS) 10-29

Reconfiguring DNS
10-30 Domain Name System (DNS)
Table 10-1. DNS configuration options
DNS Configuration Options
Transparent
DNS
Hosted
DNS
Single Indicates that DNS traffic will be proxied through the Sidewinder G2.
This configuration is generally used when you plan to use your
existing DNS server. If you are using a single internal DNS server,
external users will have proxied access to your DNS server. External
hosts will be unaware that the Sidewinder G2 is “transparently”
passing the DNS traffic. See “Reconfiguring transparent DNS” on page
10-31 for more information.
Split Indicates that DNS traffic will be proxied through the Sidewinder G2,
with a remote DNS server connected to each interface. DNS queries
will generally be handled by both your internal DNS server and your
external ISP. This configuration is more secure than using a single
server because your external server can limit access to your internal
naming system. External hosts will be unaware that the Sidewinder G2
is “transparently” passing the DNS traffic. See “Reconfiguring
transparent DNS” on page 10-31 for more information.
Single Indicates that only one DNS server is hosted on the Sidewinder G2
and handles all DNS queries. The server is protected by the Sidewinder
G2 hardened OS, preventing attacks against it from penetrating your
network. A single server configuration is generally used when you
have no concerns for keeping your internal network architecture
hidden, such as when your Sidewinder G2 is acting as an “intrawall”
between two sets of private addresses. External hosts will need to be
reconfigured to point to the Sidewinder G2 servers. See
“Reconfiguring single server hosted DNS” on page 10-32 for more
information.
Split Indicates that two DNS servers are hosted on the Sidewinder G2: one
server (the external name server) is bound to the external burb and
the other server (the "unbound" name server) is available for use by all
internal burbs. Both servers are protected by the Sidewinder G2
hardened OS, which is able to prevent attacks against them from
penetrating your network. The security benefit of this configuration is
the ability to hide the DNS entries on the unbound server from those
who only have access to the external burb. External hosts will need to
be reconfigured to point to the Sidewinder G2 servers. See
“Reconfiguring split server hosted DNS” on page 10-33 for more
information.
Important: You must use hosted split DNS if you want the
Sidewinder G2 to hide your private IP addresses (via Network Address
Translation).

Figure 10-10.
Reconfigure transparent
DNS window
About the Reconfiguring
transparent DNS window
Reconfiguring transparent DNS
Reconfiguring DNS
To reconfigure DNS to use transparent services, using the Admin
Console select Tools -> Reconfigure DNS. The Reconfigure DNS window
appears.
This window allows you to reconfigure your DNS settings to use
transparent DNS services. Follow the steps below.
1. In the New DNS Configuration drop-down list, select Transparent.
2. To configure the Sidewinder G2 to use the internal name server(s), do
the following:
a. Select the Internal Name Server check box.
b. In the corresponding IP Address field, type the IP address of the
name server located in the internal burb (that is, your enterprise
name server).
c. [Optional] In the Alternate IP Address field, type the IP address of an
alternate name server.
d. In the Burb drop-down list, select your internal burb.
Domain Name System (DNS) 10-31

Reconfiguring DNS
Figure 10-11.
Reconfiguring
Sidewinder Hosted
(single server) DNS
window
10-32 Domain Name System (DNS)
3. To configure the Sidewinder G2 to use the external (Internet) name
server(s), do the following:
a. Select the Internet Name Server check box.
b. In the corresponding IP Address field, type the IP address of the
name server located in the external (Internet) burb (that is, your ISP’s
name server).
c. [Optional] In the Alternate IP Address field, type the IP address of an
alternate name server.
d. Click the Save icon in the toolbar to reconfigure your DNS settings.
You will receive a pop-up message informing you whether the
reconfiguration was successful.
Important: The pop-up message that appears may contain additional
information or warnings about your Sidewinder G2 configuration. Please read this
window carefully before you click OK.
Reconfiguring single server hosted DNS
To reconfigure DNS to use single server hosted services, using the
Admin Console select Tools -> Reconfigure DNS. The Reconfigure DNS
window appears.

About the Reconfiguring
DNS: Sidewinder Hosted
(single server) window
Reconfiguring DNS
This window allows you to reconfigure your DNS settings to use
hosted single server DNS services. Follow the steps below.
1. In the New DNS Configuration drop-down list, select Sidewinder Hosted.
2. Select the 1 Server radio button.
3. In the Domain field, verify that the correct domain name appears.
4. In the Authority field, select one of the following options:
Master: Select this option if the server you are defining will be a
master name server. A master name server contains name and
address information for every computer within its zone.
Slave: Select this option if the server you are defining will be a slave
name server. A slave name server is similar to a master name server,
except that it does not maintain its own original data. Instead, it
downloads data from another name server.
5. [Conditional] If you selected Slave in the previous step, type the IP
address of the master authority server in the Master IP field.
6. Click the Save icon in the toolbar to reconfigure your DNS settings. You
will receive a pop-up message informing you whether the
reconfiguration was successful.
Important: The pop-up message that appears may contain additional
information or warnings about your Sidewinder G2 configuration. Please read this
window carefully before you click OK.
Reconfiguring split server hosted DNS
To reconfigure DNS to use split server hosted services, using the
Admin Console select Tools -> Reconfigure DNS. The Reconfigure DNS
window appears.
Domain Name System (DNS) 10-33

Reconfiguring DNS
Figure 10-12.
Reconfiguring
Sidewinder Hosted (split
server) DNS window
About the Reconfiguring
DNS: Sidewinder Hosted
(split server) window
10-34 Domain Name System (DNS)
This window allows you to reconfigure your DNS settings to use
hosted split server DNS services. Follow the steps below.
1. In the New DNS Configuration drop-down list, select Sidewinder Hosted.
2. Select the 2 Server radio button.
3. To configure the Unbound server, do the following:
a. In the Domain field, verify that the correct domain name appears.
b. In the Authority field, select one of the following options:
Master: Select this option if the server you are defining will be a
master name server. A master name server contains name and
address information for every computer within its zone.
Slave: Select this option if the server you are defining will be a slave
name server. A slave name server is similar to a master name server,
except that it does not maintain its own original data. Instead, it
downloads data from another name server.
c. [Conditional] If you selected Slave in the previous step, type the IP
address of the master authority server in the Master IP field.

Manually editing
DNS configuration
files
4. To configure the Internet server, do the following:
Manually editing DNS configuration files
a. In the Domain field, verify that the correct domain name appears.
b. In the Authority field, select one of the following options:
Master—Select this option if the server you are defining will be a
master name server. A master name server contains name and
address information for every computer within its zone.
Slave—Select this option if the server you are defining will be a
slave name server. A slave name server is similar to a master name
server, except that it does not maintain its own original data.
Instead, it downloads data from another name server.
c. [Conditional] If you selected Slave in the previous step, type the IP
address of the master authority server in the Master IP field.
5. Click the Save icon in the toolbar to reconfigure your DNS settings. You
will receive a pop-up message informing you whether the
reconfiguration was successful.
Important: The pop-up message that appears may contain additional
information or warnings about your Sidewinder G2 configuration. Please read this
window carefully before you click OK.
If you prefer to edit the DNS configuration files manually, follow these
steps.
Note: Files with a u extension are for the unbound nameserver, and files with an i
extension are for the Internet nameserver.
Important: You should only edit zone files for a master name server. Never edit the
slave name server files. The file names shown below are for a master name server.
1. Log in to the Sidewinder G2 and enter the following command to
switch to the admin role.
srole
Note: The following two steps assume you have database files named
domain.db and reverse.db in your system. Substitute your file names as
required.
2. Open the /etc/namedb.u/domain.db and /etc/namedb.i/domain.db files
in a UNIX text editor and make the necessary changes.
3. Open the /etc/namedb.u/reverse.db and /etc/namedb.i/reverse.db files in
a UNIX text editor and make the necessary changes.
Domain Name System (DNS) 10-35

DNS message logging
DNS message
logging
10-36 Domain Name System (DNS)
4. Open the /etc/named.conf.u and /etc/named.conf.i files in a UNIX text
editor and make the necessary changes.
Note: If you use the /etc/named.conf.* files to change an existing master zone into
a slave zone, you must also manually remove the old zone files in your /etc/
namedb.* directories.
5. If you have added new files, you must change the files to the correct
Type Enforcement types.
To do this, type the following command and insert the names of the
file(s) you edited in steps 2, 3 and 4. For non-Internet (unbound) burbs,
in place of x type the identifier u. For the Internet burb, in place of x
type the index number of the Internet burb. (Use the region show
command to determine the index number.)
chtype DNSx:conf filename
6. Increment the serial number after every change to the master files.
7. Enter the following command to restart DNS.
ndc restart
Note: Any files created by named daemons, such as zone backup files or query log
files, have types of DNSu:file or DNSx:file.
8. Check /var/log/daemon.log for any errors.
DNS messages, Type Enforcement errors and process limit errors are
logged in the following locations on the Sidewinder G2.
/var/log/audit.raw: Contains information in the Sidewinder G2
audit format.
/var/log/daemon.log: Contains traditional Syslog format messages.
You can view the audit.raw file using the Audit windows in the
Admin Console (See Chapter 18). The daemon.log file can be viewed
using any text editor. (See Appendix A for more information on using
the different text editors.)

C HAPTER 11
Electronic Mail
About this chapter This chapter covers the information you need to use electronic mail
(e-mail) at your site and includes the following topics:
Overview of
e-mail on
Sidewinder G2
“Overview of e-mail on Sidewinder G2” on page 11-1
“Administering mail on Sidewinder G2” on page 11-6
“Managing sendmail” on page 11-7
“Editing the mail configuration files” on page 11-10
“Redirecting mail to a different destination” on page 11-20
“Other sendmail features” on page 11-22
“Managing mail queues” on page 11-27
The Sidewinder G2 uses the sendmail message transfer agent to
receive and route mail messages. When you run mail on a network
protected by the Sidewinder G2, all messages coming into and going
out from your site must be routed through the Sidewinder G2.
Mail server configuration options
The Sidewinder G2 offers two configuration options for handling mail:
Transparent—This configuration option allows you to use
transparent SMTP services (without sendmail processes running
directly on the Sidewinder G2). Transparent SMTP service indicates
that all inbound and outbound mail passes by proxy through the
Sidewinder G2, just as other proxy traffic does. When you use
transparent SMTP, the SMTP proxy is enabled and policy controls
for mail are enforced via the active policy rules. If you selected
Internet Services during configuration, two rules (smtp_in and
smtp_out) are automatically created and added to the Mail rule
group. The Mail rule group is automatically included in the active
proxy rule group. Mail filtering is not supported for transparent
mail services.
11
Electronic Mail 11-1

11
Overview of e-mail on Sidewinder G2
11-2 Electronic Mail
Secure Split SMTP Servers (hosted on Sidewinder G2)—This
configuration option allows you to have two sendmail servers
running directly on the Sidewinder G2, each supported on its own
burb: the external burb and one non-Internet burb that you
choose. The Sidewinder G2 sendmail servers will route mail
through the Sidewinder G2 only for these two burbs. This
configuration protects your internal mailhost from malicious
attacks, and offers a variety of additional mail-handling options.
When using secure split mail services, the Sidewinder G2 external
sendmail server is the mail host to which all external SMTP hosts
will connect. The Sidewinder G2 internal sendmail server will
connect with internal hosts in its same burb.
If you selected Secure Split SMTP during configuration, a rule
called smtp_all is automatically created and added to the Mail rule
group. This rule allows any client to connect to sendmail from any
location and attempt to send mail to another user. The Mail rule
group is automatically included in the active proxy rule group if
you selected Internet Services during configuration.
If you already have e-mail services running on your internal network,
the only change you need to make is to configure your
internal mail host to forward all outgoing messages to the
Sidewinder G2. Your internal mail host must run mail software that
can accept incoming messages from and send outgoing messages
to the Sidewinder G2. This system might be running sendmail or
some other mail package such as Microsoft Exchange or cc:Mail
with a Simple Mail Transport Protocol (SMTP) gateway.
When you configure secure split SMTP services, there are three
separate sendmail servers that each have a different purpose.
Local
The local server handles mail that is sent directly from the
Sidewinder G2. For example, if an administrator sends a mail message
from the Sidewinder G2, it is sent through the local server.
This sendmail process runs in the mtac domain and forwards all
mail to the internal network side of the Sidewinder G2.
Internal
The internal server runs in a trusted burb that you specified during
initial Sidewinder G2 configuration. This sendmail daemon
receives mail from one of three sources:

Overview of e-mail on Sidewinder G2
— a host on the internal network
— a sendmail process transferring mail from the local sendmail
server
— a sendmail process transferring mail from the external
sendmail server
The internal server delivers mail to one of three places:
— If the message is for a user local to the Sidewinder G2, such as
an administrator with a mailbox on the Sidewinder G2, it
delivers the message to the user’s mailbox using the
mail.local program.
— If the message is for a user on the internal network, it
connects to the mail host on the internal network and delivers
the mail there.
— If the message is not for either of the above, it assumes the
message is for an external user and transfers the message to
the external burb for that user.
External
The external server runs in the mta# domain (# is the burb index
of the Internet burb). This sendmail daemon receives mail from
one of two sources:
— a host on the external network
— a sendmail process transferring mail from the internal
sendmail server
The external server delivers mail to one of two places:
— If the message is for an external user, it connects to an
external host and delivers the mail there.
— If the message is for a user local to the Sidewinder G2 (such as
an administrator) or for a user on the internal network, it
transfers the mail to the internal burb for delivery to that user.
Electronic Mail 11-3

Overview of e-mail on Sidewinder G2
11-4 Electronic Mail
Mail filtering services on Sidewinder G2
The following mail filtering services can be configured using Mail
Application Defenses, and including them in the appropriate rule(s):
Note: You must have Secure Split SMTP mail servers configured to use mail filtering.
MIME/anti-virus filtering—You can configure filtering rules to specify
the types of MIME elements that will be allowed or denied,
configure the type of virus scanning you want to perform,
configure infected file handling, specify file attachment size
restrictions, and determine whether mail messages will be scanned
as a whole (entire message is allowed or denied) or in segments
(attachments may be dropped if they do not meet filtering criteria,
but the acceptable portions of the mail message will still reach the
recipient). You can also configure all mail to be rejected if
scanning services become unavailable. See “Configuring the Mail
MIME/Virus tab” on page 6-26.
Important: You must license and configure additional services before the MIME/
Anti-Virus filter rules you create will scan mail messages. See “Configuring scanning
services” on page 3-34.
Anti-spam filtering—Anti-spam filtering is a licensed service. Once
you are licensed for Anti-spam, you can enable or disable it on a
per-rule basis. See “Configuring the Mail Control tab” on page 6-
22.
Note: If you enable anti-spam filtering without licensing it, filtering will not be
performed.
Key word search filtering—The Keyword Search filter allows you to
filter mail messages based on the presence of defined key words
(character strings). See “About the Keyword Search tab” on page 6-
24. You must enable the kmvfilter server in the appropriate burbs
before the key word search filter will function.
Configure size limitations for mail messages—The size filter performs a
check on e-mail messages for the number of bytes the message
contains, including the message header. Messages that equal or
exceed the specified size you specify will be rejected. See “About
the Mail Size tab” on page 6-23.
Anti-relay controls—Anti-relay control uses access control to prevent
your mailhost from being used by a hacker as a relay point for
spam to other sites. This option is automatically enabled for all
Mail defenses and cannot be disabled. See “Configuring the Mail
Control tab” on page 6-22.

Sendmail differences on Sidewinder G2
Overview of e-mail on Sidewinder G2
When using Sidewinder-hosted SMTP services, all mail for a user local
to the Sidewinder G2 goes to the internal mta domain for delivery.
Local delivery does not take place in the external mta domain or the
mtac domain. Running sendmail on the Sidewinder G2 works as it
does in any other UNIX environment, with the following exceptions:
The Sidewinder G2 runs three separate sendmail servers (as
described in the previous section).
Type Enforcement restricts sendmail so that its security flaws
cannot be exploited. For example, Sidewinder G2 users cannot
execute shell scripts or other executables through sendmail, as
they could do on a standard UNIX system.
.forward files allow users to send their mail to another mailbox
that may be at a different location. For example, Sidewinder G2
administrators might choose to forward their mail to a mailbox
located on the internal network so they receive all of their mail in
one place. Administrators can use .forward files, but these files
cannot contain commands to run other programs, such as program
mailers (for example, procmail). For more information on
.forward files, see “Redirecting mail to a different destination” on
page 11-20.
If a server is too busy to send a message, or if the machine it is
sending mail to is not responding, the messages are sent to a mail
queue. The Sidewinder G2 has a separate queue for each sendmail
server: /var/spool/mqueue.#, /var/spool/mqueue.#, and
/var/spool/mqueue.c (# = the burb number).
Important: If mail cannot be delivered on the first attempt, it is placed in a queue.
By default, the system checks the queues every 30 minutes and attempts redelivery.
You can check if there are messages in the mail queues by following
the steps described in “Managing mail queues” on page 11-27.
Note: Mail is an extremely complex subject and can require a great deal of effort to
configure. With the Sidewinder G2, most of the mail configuration is automatically
completed during initial Sidewinder G2 configuration. However, if you want to get
deeper into mail than you have ever dreamed possible, the best resource is the book
sendmail by Bryan Costales (O’Reilly & Associates, Inc.).
Electronic Mail 11-5

Administering mail on Sidewinder G2
Administering
mail on
Sidewinder G2
11-6 Electronic Mail
Mail is configured on the Sidewinder G2 during initial Sidewinder G2
configuration. The configuration process allows you to specify either
transparent or secure split (Sidewinder-hosted) mail services. If you
select secure split services, you specify a mail host on your internal
network, and the necessary configuration files are automatically sets
up for you.
Once the Sidewinder G2 is configured, everything you need to run
the mail servers should already be set up:
The three mail domains: mtac, mtaX, and mtaY (where X = the
number of the external burb, and Y = the number of an internal
burb), are in place. Sendmail is already configured to route mail
among the three sendmail servers.
Mail addressed to users on your internal network will be
forwarded to the mail host you specified during configuration.
Messages that are sent to the person administering a mail system
are generally addressed to “postmaster.” During configuration, you
set up an administrator’s account. Postmaster messages are
automatically routed to that user.
Note: You will need to configure your internal mail server to forward non-local mail to
the Sidewinder G2. This procedure differs depending on the type of mail program your
network runs. Refer to your mail software’s documentation for details.
To manually configure options for your mail servers, see “Managing
sendmail” on page 11-7.
To enable or disable the servers, see “Managing sendmail” on page
11-7.
To configure Application Defenses for mail services, see “Creating
Mail Application Defenses” on page 6-21.
Viewing administrator mail messages on Sidewinder G2
Administrators can receive mail as soon as an account is created on
the Sidewinder G2. A mailbox will be created the first time an
administrator sends or receives a mail message. Mailboxes for
Sidewinder G2 administrators are stored in the /var/mail directory.
Important: Do not ignore the e-mail that accumulates on the Sidewinder G2 as it
contains important information about your network and Sidewinder G2 and also uses disk
space. Routinely read and delete mail sent to the Sidewinder G2, or have it redirected
elsewhere. To redirect mail to another destination, see “Redirecting mail to a different
destination” on page 11-20 or “Changing mail aliases” on page 11-26.

Managing
sendmail
Managing sendmail
To view mail for a specific administrator account, follow the steps
below.
1. At a Sidewinder G2 command prompt, log in to the Sidewinder G2
using your administrator user ID and password.
2. Enter the following command to change to the Admn role:
srole
Note: If you are a read-only administrator, enter srole adminro to change to the
AdRO domain.
3. Enter the following command to view a list of email messages
addressed to your mailbox:
mail
Note: Refer to the mail man page for detailed information on utilizing the mail
command. If you prefer, you may use an alternate mail program, such as Elm.
You can also configure your mail account to forward messages to an
internal email account.
You can perform many of the necessary sendmail configuration
functions using the Admin Console. To enable or disable the sendmail
server, follow the steps below.
1. In the Admin Console, select Services Configuration -> Servers -> and
then select sendmail.
2. To enable sendmail in a burb, select the corresponding check box for
that burb. To disable sendmail in a burb, deselect the check box.
3. Click the Save icon in the toolbar to save your changes.
4. To modify your existing mail configuration, select the Configuration tab.
The following window appears:
Electronic Mail 11-7

Managing sendmail
11-8 Electronic Mail
Figure 11-1. sendmail
window: Configuration
tab
About the sendmail
Configuration tab
The sendmail Configuration tab allows you to edit some of the more
common mail configuration files, enable ACL rule checking, and also
provides a shortcut to the Reconfigure Mail window. You can perform
the following actions:
Edit common mail configuration files—This portion of the window
displays commonly used mail configuration files for the two burbs
containing mail servers. If you need to edit one of the files, select
that file from the appropriate list and then click Edit File. The
selected file will be opened using the File Editor. (For basic
information on using the File Editor, see “Using the Admin Console
File Editor” on page 2-12. For detailed information on editing mail
configuration files, see “Editing the mail configuration files” on
page 11-10.)
Enable ACL Rule Checking—This field is enabled by default and
cannot be disabled.
Go to the Reconfigure Mail window—Click Reconfigure Mail to go
directly to the Reconfigure Mail window. The Reconfigure Mail
window allows you to completely reconfigure your existing mail
configuration files or create a default set of SMTP server
configuration files. See “Reconfiguring mail” on page 11-9 for more
information.

Figure 11-2. Reconfigure
Mail window
About the Reconfigure Mail
window
Reconfiguring mail
Managing sendmail
The Reconfigure Mail window is used to reconfigure your existing
mail configuration on the Sidewinder G2. In the Admin Console,
select Tools -> Reconfigure Mail. (You can also access this window
within the Configuration tab in the sendmail server window.) The
Reconfigure Mail window appears.
The Reconfigure Mail window allows you to reconfigure your existing
mail configuration. Follow the steps below.
Caution: If you manually edited any sendmail configuration files, changing your mail
configuration in the Reconfigure Mail window will overwrite the changes you made. Also,
if there is e-mail in the queue directory for a burb that will not be specified in the new mail
configuration, the e-mail will be deleted.
1. In the New SMTP Mode drop-down list, select the mail configuration
mode you want to configure. The following options are available:
Tip: Be sure to verify that your active proxy rules support the SMTP service
configuration that you choose. If you reconfigure your mail to use transparent
services, you will need to ensure that the appropriate proxy rules (rules that allow
mail to be delivered through the Sidewinder G2) are included in the active proxy rule
group. If you reconfigure your mail to use hosted (split) services, you will need to
ensure that the appropriate proxy rules exist if you configure the SMTP servers to
perform policy rule checks.
Electronic Mail 11-9

Editing the mail configuration files
Editing the mail
configuration files
11-10 Electronic Mail
Note: The current mode is listed in the Current SMTP Mode field.
Transparent—This option is used when you want to totally
reconfigure your mail system to use transparent SMTP service.
Transparent SMTP indicates that mail passes by proxy through the
Sidewinder G2. If you select this option, only the necessary files
needed to send administrative messages (including Sidewinder
G2-generated alerts, messages, and logs) will be configured. The
SMTP proxy is enabled.
Secure Split SMTP Servers (Sidewinder-hosted)—This option is used
when you want to totally reconfigure your mail system. It allows
you to take advantage of configuring additional sendmail features
including header stripping, spam control, mail routing and aliases,
and masquerading. For more information on configuring these
features, see “Other sendmail features” on page 11-22.
2. In the Internal SMTP Burb field, select the burb in which your site’s
internal SMTP server resides.
3. In the Internal SMTP Mail Server field, type the fully qualified name of
your site’s internal SMTP server.
4. Click the Save icon in the toolbar (or click Apply if you are accessing this
window from the Server window) to reconfigure your mail mode. A
confirmation window will appear when the reconfiguration process is
complete.
5. [Conditional] If you accessed Reconfigure Mail from the Servers
window, click Close to return to the sendmail server Configuration tab.
Sendmail stores its configuration information in sendmail.cf files.
These files contain information such as which delivery agents to use
and how to format message headers. These files are automatically set
up and generated for you when you install and configure your
Sidewinder G2. You should change your configuration options only if
you are directed to do so by Secure Computing, or if you are an
experienced sendmail user and want to customize the files for your
site.
Sendmail allows you to create configuration files using macros written
for the m4 preprocessor. Sections 19.5 and 19.6 in the UNIX System
Administration Handbook describe these macros. You can also refer
to the book sendmail by Bryan Costales (O’Reilly & Associates, Inc.).

Figure 11-3. Sidewinder
G2 mailertables
Editing the mail configuration files
You set up two mailertables on the Sidewinder G2: one internal and
one external. The external mailertable, /etc/mail/mailertable.mta# (#
= the number of the external burb), processes the mail and directs it
to the internal mailertable. The internal mailertable, /etc/mail/
mailertable.mta#
(# = the number of a trusted burb), sorts the mail by host name, and
sends the mail to the correct internal mail host. Figure 8-1 shows an
example of the route along which incoming mail messages travel.
Incoming e-mail
charlie@foo.com Sidewinder G2
lucy@sales.foo.com
linus@corp.foo.com
sally@ads.foo.com
Sidewinder G2 external
mailertable
(/etc/mail/mailertable.mta#)
foo.com burbmailer-burb:localhost
.foo.com burbmailer-burb:localhost
Message destination
corphub
linus@corp.foo.com
foohub
sally@ads.foo.com
charlie@foo.com
saleshub
lucy@sales.foo.com
Sidewinder G2 internal
mailertable
(/etc/mail/mailertable.mta#)
foo.com smtp:foohub
.foo.com smtp:foohub
corp.foo.com smtp:corphub
The Sidewinder G2 provides several different editors that you can use
when manually editing your mail files. The easiest method of
modifying these files is using the Admin Console. You may also use vi,
emacs, or pico if you prefer.
To edit the mail configuration files using the Admin Console, follow
these steps:
Caution: Only experienced administrators should modify sendmail configuration files.
1. Log in to the Admin Console and select Services Configuration ->
Servers.
2. Select sendmail and click the Configuration tab. Separate configuration
files are maintained for each burb.
Electronic Mail 11-11

Editing the mail configuration files
11-12 Electronic Mail
3. Select the configuration file you want to modify in the appropriate burb
configuration file list. You may edit the following files for a burb:
Important: If you modify any of these files, click the Save icon in the toolbar to
rebuild the sendmail configuration and database files.
Access Table—This file defines anti-relaying and anti-spamming
policies for the SMTP server.
Aliases File—(Available only in the internal burb.) This file defines
the mail aliases that are used to redirect e-mail to another person
or location.
Alternate Host Names File—This file identifies alternate host names
by which the Sidewinder G2 is known. E-mail addressed to any of
the alternate names is treated as local mail by the Sidewinder G2.
Domain Table—This file provides a mapping from an old domain
name to a new domain name. For example, you might modify this
file if your organization’s external domain name changes.
M4 Config File—This file defines the initial sendmail configuration.
Modify this file as needed to account for your site-specific
requirements.
Mailer Table—This file maps a domain to a mail relay that is
responsible for mail delivery in that domain.
Important: Only edit mail configuration files if it is necessary for your site’s e-mail
functionality.
There are separate files for each sendmail daemon running on the
Sidewinder G2.
4. Save your changes, and close the file.
5. Open the appropriate mailertable file and edit as necessary.
Important: Only edit mailertable files if it is necessary for your site’s e-mail
functionality.
The mailertable files are named /etc/mail/mailertable.mta# (# = the
appropriate burb number).
6. Enter the correct domain, mailer, and host in the following format:
domainmailer:host
On the internal side of the network, the mailertable appears as:
.foo.comsmtp:foohub
foo.comsmtp:foohub
corp.foo.comsmtp:foohub
sales.foo.comsmtp:foohub

Configuring
advanced antispam
options
Configuring advanced anti-spam options
On the external side of the network, the mailertable should appear as:
foo.comburbmailer-burb:localhost
.foo.comburbmailer-burb:localhost
where burb = the external burb number and Y = the internal (trusted)
burb number.
The entries that begin with a dot act as a wildcard, matching anything
with that domain name. The entries that do not begin with a dot match
the full domain name. See the /usr/share/sendmail/README file for more
information on creating mailertables.
7. Save the changes you made to file and then close the file.
8. Click the Save icon to save the configuration changes and rebuild the
configuration and database files. This will also automatically restart the
sendmail servers.
Using the Admin Console, you can configure the following advanced
anti-spam areas:
Configure the whitelist.cfg files to specify domains, IP addresses,
and headers that will be allowed to pass through unmodified
regardless of any rules that have been created. There is a separate
whitelist.cfg file for the internal and external (Internet) burbs. For
information on configuring a whitelist, see “Configuring the
whitelist.cfg files” on page 11-13.
Configure the policy.cfg file to determine the actions that will be
taken by the spam filter on a per-burb basis when it encounters
messages that are suspected to be spam. To configure the
policy.cfg file, see “Configuring the policy.cfg file” on page 11-15.
Caution: Modifying the authority.cfg files may prevent the spam filter from starting.
Therefore, the authority.cfg file should not be modified.
Configuring the whitelist.cfg files
To configure a whitelist for the internal or external (Internet) burb, in
the Admin Console select Services Configuration -> Servers and then
select Spamfilter from the list of servers. Select the Advanced tab. The
following window appears.
Electronic Mail 11-13

Configuring advanced anti-spam options
11-14 Electronic Mail
Figure 11-4. Spamfilter
Advanced tab
About the Spamfilter
Advanced tab
This tab allows you to manually configure whitelist entries for the
internal or external (Internet) burbs using the File Editor. To configure
a whitelist for the internal burb, select Edit Internal Burb Whitelist. To
configure the external (Internet) burb, select Edit Internet Burb Whitelist.
The appropriate whitelist.cfg file opens for editing.
There are two types of whitelist entries that can be added to this file:
Host—This type of whitelist entry applies to any kind of IP address
or domain name. If a DNS name is provided, then whitelist
effectiveness is contingent on DNS being properly enabled and set
up on the system on which Authority is installed. IP subclasses and
DNS subdomains are supported. The following examples display
the basic structure for a host entry:
type = host; address = [1.2.3.4]
type = host; address = [192.168.]
type = host; address = [mx1.somecompany.com]
type = host; address = [.gov]
Header—This type of whitelist entry effectively matches any
substring or regular expression against the specified header field.
The following examples display the basic structure for a host
entry:
type = header; header = [From]; value = [@.*gov>];
type = header; header = [From]; value = [@cloudmark.com];
When you are finished modifying the whitelist.cfg file, select File ->
Save to save your changes and then select File -> Exit to return to the
Spamfilter Advanced tab.

Configuring the policy.cfg file
Configuring advanced anti-spam options
The policy.cfg file allows you to determine the actions that will be
taken by the spam filter on a per-burb basis when it encounters
messages that are suspected to be spam. These configuration options
are stored in the /etc/sidewinder/authority/policy.cfg file. The
policy.cfg file contains a list of the actions that will be taken based on
the disposition of an email message (that is, the likelihood of the
message being spam).
The basic structure of each action is as follows:
threshold=85%; action=ADDHEADER; config=[header=
[X-SPAM]; value=[%p%%]]
where:
threshold—This field indicates the confidence level that is assigned
to an action. A high confidence level indicates that a message is
likely to be spam. A low confidence level indicates that a message
is unlikely to be spam. You can assign threshold values from
0–100. However, each action must have a unique threshold value.
action—This field specifies the action that will be taken for a
message based on the threshold defined. The available actions are
described in the following sections.
config—The configuration options allow you to specify additional
attributes for a particular action. The available configuration
options for each action are described in the following sections.
Configuring a policy configuration file
This section provides steps to access the policy.cfg files. For
information on modifying a particular action, refer to the sections the
follow this procedure.
1. Connect to the Sidewinder G2 using the Admin Console and select File
Editor. The File Editor window appears.
2. Click Start File Editor and select File -> Open. The Open File window
appears.
Electronic Mail 11-15

Configuring advanced anti-spam options
11-16 Electronic Mail
3. Select the Firewall File radio button. The Open File window appears.
Each burb on Sidewinder G2 has a policy.cfgSMF file associated with it,
allowing you to configure different actions for different burbs on the
Sidewinder G2. To distinguish among files, the corresponding burb
index number is appended to each file (for example, policy.cfg.SMF1 is
the configuration file for burb index 1).
4. Type the following path in the File field:
/etc/sidewinder/authority/policy.cfg.SMFn
(where n is the corresponding burb index for the burb you want to
configure)
5. Click OK to open the file. The policy.cfg.SMF file for the burb you selected
is displayed.
Actions that are commented out (that is, the first character is a # sign)
are disabled. To enable an action, remove the # signs. To modify a
particular action refer to the previous sections.
About the ADDHEADER action
The ADDHEADER action will apply a new text header line to the
message. The new header can then be used as a flag to sort or discard
messages that contain that header text. The following two
configuration options can be used with this action:
header—This option allows you to specify the text string that will
act as the name of the questionable header. The default value is
X-SPAM.
value—This option allows you to include the threshold value in the
header. The syntax for this option uses standard C language
expansion syntax. The only syntax supported for this option is
%p%%. At run time, the %p portion of this option is replaced with
the specified threshold value and the %% portion is translated to a
single % sign.
The following is an example of a ADDHEADER action that will add a
text header of “X-SPAM **%” to the message:
threshold=**%;action=ADDHEADER;config=[header=X-
SPAM;value=[%p%%]]

About the COPY action
Configuring advanced anti-spam options
Important: If your site handles a large amount of spam messages, the disk space
required to store copies can become significant. You may need to delete the copied
mailboxes periodically in this case.
This action will deliver the message to the recipient, as well as store a
copy of the message in a designated location. The message can then
be examined or deleted from the mbox file by an administrator. The
following options can be specified for this action:
path—The path for this value is preset as
/var/spool/authority/copied. Do not modify the path value.
depth—This option indicates the depth of the file within the
directory. The default value is 0.
default domain—This option allows you to specify the domain that
will be used if a recipient does not have a domain specified. The
default is local.
method—This option specifies whether or not a unique mailbox
will be created for each user in the designated directory, as
follows:
— individual: Specify this method to create a unique mailbox for
each recipient.
— consolidated: Specify this option to create a single, central
mailbox.
cycle—If a consolidated mailbox is used, this option can be used to
create additional consolidated mailboxes. You can specify that a
new mailbox be created each hour (hourly) or each day (daily).
The following is an example of a COPY action:
threshold=**%;action=COPY;config=[path=./copied;
depth=0;default domain=local]
About the DROP action
This action deletes the message from the MTA and prevents it from
being delivered to its recipient. Dropped messages cannot be
recovered. There are no options that can be configured for this action.
Electronic Mail 11-17

Configuring advanced anti-spam options
11-18 Electronic Mail
The following is an example of a DROP action that will delete the
message from the MTA without delivering it to the recipient or saving
a copy of the message for later handling:
threshold=**%;action=DROP
About the REFUSE action
This action rejects suspected spam at the gateway and allows the
sender to receive a customized return message, simulating the
absence of a mailbox. The following options can be specified for this
action:
rcode—This option specifies the main SMTP response code. This is
specified in RFC 821.
xcode—This option specifies the secondary SMTP response code.
This is specified in RFC 2034.
msg—This option specifies the text that will be contained in the
error message that is returned to the sender. For example, Delivery
denied. Mailbox unknown.
The following is an example of a REFUSE action that will cause mail
suspected of being spam to be discarded at the gateway. The message
“Delivery Denied.” will be returned to the sender.
threshold=**%;action=REFUSE;config=[rcode=500;
xcode=5.0.0;text=[Delivery Denied.]]
About the SAVE action
Important: If your site handles a large amount of spam messages, the disk space
required to store saved messages can become significant. You may need to delete the
saved mailboxes periodically in this case.
This action stores the message in a designated location without
delivering a copy to the recipient. The message can then be
examined, deleted, or forwarded to the intended recipient by an
administrator. The following options can be specified for this action:
path—The path for this value is preset as
/var/spool/authority/saved. Do not modify the path value.
depth—This option indicates the depth of the file within the
directory. The default is 0.

Configuring advanced anti-spam options
default domain—This option allows you to specify the domain that
will be used if a recipient does not have a domain specified. The
default is local.
method—This option specifies whether or not a unique mailbox
will be created for each user in the designated directory, as
follows:
— individual: Specify this method to create a unique mailbox for
each recipient.
— consolidated: Specify this option to create a single, central
mailbox.
cycle—If a consolidated mailbox is used, this option can be used to
create additional consolidated mailboxes. You can specify that a
new mailbox be created each hour (hourly) or each day (daily).
The following is an example of a SAVE action that will save all
messages in the specified threshold to a single directory. A new
directory will be created every hour.
threshold=**%;action=SAVE;config=[path=./saved;
depth=0;defaultdomain=local;method-consolidated;
cycle=hourly]
About the TAG action
This action tags the message with a text string (such as “SPAM”) in the
subject of the message, and then delivers it to the recipient. The
following options can be specified for this action:
target—This option specifies where the tag will be added.
Currently, the tag can only be added to the subject of a message.
action—This option determines whether the message will be
added to the beginning (prefix) or end (postfix) of the message
subject.
text—This option specifies the actual text that will be added to the
subject. The text must be enclosed in brackets, and should consist
of a short string using uppercase characters (for example, SPAM),
ending with a colon.
Electronic Mail 11-19

Redirecting mail to a different destination
Redirecting mail
to a different
destination
11-20 Electronic Mail
You can also include a confidence rating in the text portion of this
tag. A confidence rating provides a percentage rating, indicating
the likelihood that the email is spam using the Authority’s numerical
spam confidence rating system. To include the confidence rating
in this tag, add the string %p%% within the text brackets,
following the colon (you must include a space between the colon
and the string), as shown in the example below. At run time, the
%p portion of this option is replaced with the specified threshold
value and the %% portion is translated to a single % sign.
The following is an example of a TAG action that will include the tag
“SPAM” at the beginning of the subject line:
threshold=**%;action=TAG;config=[target=subject;
action=prefix;text=[SPAM: %p%%]]
If you want to redirect mail from your mailbox to a different
destination, you need to place a .forward file either in a user’s home
directory or in the /root directory of where you want the mail sent
from. The following sections provide information on how to create
.forward files on the Sidewinder G2. (For additional information on
.forward files see Chapter 19 in the UNIX System Administration
Handbook.)
Creating a .forward file in a user’s home directory
This section describes how to create a .forward file in a user’s home
directory. Follow the steps below.
1. At a Sidewinder G2 command prompt, log in to the Sidewinder G2
using your administrator user ID and password.
2. Enter the following command to switch to the admn role:
srole
3. Enter the following command to change to the /home/username
directory (where username is a variable dependent on the user’s login).
cd /home/username
4. Use a text editor to create a new file called .forward.
Note: If you are not familiar with vi, emacs, or pico, SCC recommends using the File
Editor in the Admin Console as your text editor. See “Using the Admin Console File
Editor” on page 2-12.

Redirecting mail to a different destination
5. Enter the address where you want to have your mail redirected.
For example:
lloyd@foo.com
6. Save your changes.
7. Use the following command to change the owner of the file (the user
must also be the owner of the file):
chown username /home/username/.forward
8. Use the following command to set the appropriate permissions:
chmod 644 /home/username/.forward
9. Use the following command to change the file’s type:
chtype User:frwd .forward
Creating a .forward file in the root directory
To create a .forward file in the root directory, follow the steps below.
1. At a Sidewinder G2 command prompt, log in to the Sidewinder G2
using your administrator user ID and password.
2. Enter the following command to switch to the admn role:
srole
3. Enter the following command to change to the /root directory.
cd /root
4. Use a text editor to create a new file called .forward.
Note: If you are not familiar with vi, emacs, or pico, SCC recommends using the File
Editor in the Admin Console as your text editor. See “Using the Admin Console File
Editor” on page 2-12.
5. Enter the address where you want to have your mail redirected.
For example:
chloe@foo.com
6. Save your changes.
7. Use the following command to change the file’s type.
chtype Admn:frwd .forward
Electronic Mail 11-21

Other sendmail features
Other sendmail
features
11-22 Electronic Mail
The mail server is initially installed with default settings that enable
basic mail services. However, sendmail provides several additional
features that you may choose to configure:
Header stripping—Enables you to remove header information from
a message to conceal internal host information from the outside
world.
Note: Header information can only be removed for outbound mail (that is, mail
leaving the Sidewinder G2). Therefore, you should only enable header stripping in the
destination (or external) burb for a message. If you configure header stripping in the
source burb of a message, header stripping will not happen for that message.
Blackhole list—Enables you to eliminate unwanted and unsolicited
e-mail. The types of spam control you might implement include
use of a Realtime Blackhole list, Promiscuous Relaying, and so on.
Mail routing—Enables you to reroute e-mail from one domain name
to another domain name.
Mail aliases—Enables you to redirect inbound mail to another
person or location.
Masquerading—Enables you to transform a local host address in the
header of an e-mail message into the address of a different host.
Header stripping, the RealTime Blackhole list, and promiscuous
relaying are the most popular additional sendmail features. The details
for implementing these features are described in the sections that
follow. For information on implementing the other sendmail features,
refer to the book sendmail by Bryan Costales (O’Reilly & Associates,
Inc.).
Configuring sendmail to strip message headers
During the normal operation of sendmail, the path a message traces is
appended to the message by each host through which the mail
passes. This enables internal host names and IP addresses to be
allowed beyond the Sidewinder G2.

Other sendmail features
You can configure sendmail to strip or scrub the following headers
from messages leaving the Sidewinder G2.
Received (stripped)
X400-received (stripped)
Via (stripped)
Mail-from (stripped)
Return-path (stripped)
Message-id (scrubbed)
Resent-message-id (scrubbed)
Perform the following steps to configure sendmail to strip or scrub
headers.
1. Log in to the Admin Console and select Services Configuration ->
Servers.
2. Select sendmail and click the Configuration tab. Separate configuration
files are maintained for each burb.
3. Select the M4 Config File in the external burb list and click Edit File.
4. Locate the C{STRIP_DOMAINS} line in the file and append the domain
name on which to perform header stripping. For example:
C{STRIP_DOMAINS} domainx
where domainx = the domain name on which to perform header
stripping.
You can define multiple domains by entering multiple domain names
on one line (for example, C{STRIP_DOMAINS} abc.com xyz.com)
Note: STRIP_DOMAINS contains the list of domains that will trigger header
stripping. Each message processed by sendmail in the external burb will be
subjected to header stripping if it is received from a domain in this list.
5. Save the changes you made to file and then close the file.
Note: Stripping the headers will NOT alter the To and From hosts. The To and From
hosts can be eliminated using rules in the sendmail configuration file. You can also
modify the To and From hosts using masquerading or by editing the domain tables.
6. Click the Save icon to save the configuration changes and rebuild the
configuration and database files. This will also automatically restart the
sendmail servers.
Electronic Mail 11-23

Other sendmail features
11-24 Electronic Mail
Configuring sendmail to use the RealTime Blackhole list
Sendmail is able to utilize the services of the RealTime Blackhole List.
The Blackhole List, a list of known spam domain names, is maintained
by an organization called MAPS (Mail Abuse Prevention System). The
mail server checks each mail message against the Blackhole list. Any
e-mail message originating from a domain in the list will be rejected.
Note: You must subscribe to the MAPS Blackhole List in order to use it. Go to
www.mail-abuse.org for details.
To configure the Sidewinder G2 to use the Realtime Blackhole List,
follow the steps below.
1. Log in to the Admin Console and select Services Configuration ->
Servers.
2. Select sendmail and click the Configuration tab. Separate configuration
files are maintained for each burb.
3. Select the M4 Config File in the external burb list and click Edit File.
4. Add the following line to the file.
FEATURE(‘dnsbl’, ‘hostname’)dnl
The hostname that you enter in the above line will depend on the type
of service for which you have subscribed. MAPS will provide you with
the correct hostname (for example, blackholes.mail-abuse.org) to use
when you subscribe to their list.
5. Save the changes you made to file and then close the file.
6. Click the Save icon to save the configuration changes and rebuild the
configuration and database files. This will also automatically restart the
sendmail servers.
Sendmail and promiscuous relaying
Promiscuous relaying is the inappropriate use of an intermediate mail
server to send mail messages. A message that is sent from client A to
mail server B but that is first routed through mail server C is an
example of promiscuous relaying. This technique is often used by
hackers to send unfriendly or unwanted mail from mail servers other
than their own.

Figure 11-5. Type of
relayed message
typically rejected by the
Sidewinder G2
Other sendmail features
On the Sidewinder G2, sendmail is by default configured to BLOCK
relayed mail, preventing the Sidewinder G2 from inadvertently acting
as a relay. This means any message not originating from or destined
to the Sidewinder G2 domain is considered spam and will be rejected.
Note that the sender of the message is not relevant (sender names can
be spoofed). Figure 11-5 illustrates the type of relayed message that
will be rejected.
bad
hacker
innocent
victim
Internet
If you choose to ALLOW promiscuous relaying, perform the following
steps. (The Sidewinder G2 initially configures sendmail to BLOCK
relayed mail.)
1. Log in to the Admin Console and select Services Configuration ->
Servers.
2. Select sendmail and click the Configuration tab. Separate configuration
files are maintained for each burb.
3. Select the M4 Config File for the burb that is running sendmail and click
Edit File.
4. Add the following line to the file.
FEATURE(‘promiscuous_relay’)dnl
5. Save the changes you made to file and then close the file.
6. Click the Save icon to save the configuration changes and rebuild the
configuration and database files. This will also automatically restart the
sendmail servers.
Allowing or denying mail on a user basis
mail
server
Sidewinder G2
domain
By default sendmail will allow or deny mail on a domain basis.
However, you can also instruct sendmail to allow or deny mail to/
from specific users within a domain. To do this, follow the steps
below:
Electronic Mail 11-25

Other sendmail features
11-26 Electronic Mail
1. Log in to the Admin Console and select Services Configuration ->
Servers.
2. Select sendmail and click the Configuration tab. Separate configuration
files are maintained for each burb.
3. Select the Access Table file for the appropriate burb and click Edit File.
4. Add user-based allow (relay) and/or deny (reject) information to the
access table.
For example, if you want to allow mail addressed to Lloyd and Sharon
but deny mail addressed to everyone else, you would add the following
lines:
# Allow mail addressed to these users
To:Lloyd@bizco.net RELAY
To:Sharon@bizco.net RELAY
# Deny mail for everyone else
To:bizco.net REJECT
5. Save the changes you made to file and then close the file.
Note: For additional information, see the README file in the
/usr/share/sendmail directory on the Sidewinder G2.
6. Click the Save icon to save the configuration changes and rebuild the
configuration and database files. This will also automatically restart the
sendmail servers.
Changing mail aliases
Aliases allow you to redirect mail to another person or location.
(Individual users can also use a .forward file for this purpose, see
“Redirecting mail to a different destination” on page 11-20.) Aliases
are generally used for redirecting mail addressed to system users such
as “postmaster.” On the Sidewinder G2, messages and other files are
often e-mailed to root. By default, a root alias is created for the
administrator you set up when you configured your system. For more
information about mail aliases see Chapter 19 of the UNIX System
Administration Handbook.
Aliases are stored in the /etc/sidewinder/sendmail directory. Follow
the steps below to edit this file:
1. Log in to the Admin Console and select Services Configuration ->
Servers.

Managing mail
queues
Managing mail queues
2. Select sendmail and click the Configuration tab. Separate configuration
files are maintained for each burb.
3. Select the Aliases file for the burb that is running sendmail and click Edit
File.
To redirect messages to a different user, type the user name after the
colon for the account you want to redirect. For example, if you want to
direct root’s messages to user name piper, you would locate the root
line in the file and edit it to look like this:
root: piper
4. Save the changes you made to file and then close the file.
5. Click the Save icon to save the configuration changes and rebuild the
configuration and database files. This will also automatically restart the
sendmail servers.
6. To deny or restrict certain SMTP connections, add an appropriate proxy
rule.
If a sendmail message cannot be delivered, (for example, if the
destination system is down) messages are temporarily placed in
queues until they can be delivered. There are separate queues for
each server: /var/spool/mqueue.c (local) and /var/spool/mqueue.# for
the Internet and the trusted burbs. You should check the queues
periodically. If there are a lot of messages that are several days old,
you may have a problem with your system or its configuration.
To view the mail queue output type the following command:
/usr/bin/mailq
The output of this command will list the messages currently in the
queue you chose, along with information about each message. Each
message is assigned a unique identification number, which is shown
in the first column.
Electronic Mail 11-27

Managing mail queues
11-28 Electronic Mail
Listing the burbname Queue
Mail queue is empty
Listing the burbname Queue
Mail queue is empty
Listing the burbname Queue
Mail queue is empty
By default, undelivered e-mail messages will remain in the mail
queues 30 minutes before another delivery attempt is made. If you
want to change the length of time e-mail messages remain in the mail
queues before another delivery attempt is made, follow the steps
below.
1. Log in to the Admin Console, and select Services Configuration ->
Servers.
2. Select the sendmail server Configuration tab. Separate configuration
files are maintained for each burb.
3. Select the M4 Config File for the burb that is running sendmail, and click
Edit File.
4. Scroll to the Set the Queue Interval area and edit the following line:
define(`confQUEUE_INTERVAL', `Xm')dnl
where:
X is the amount of time that the message will remain in the queue
before an attempt is made to resend the message.
m indicates that the time will be measured in minutes. You can also use
other time measurements, such as seconds (s), hours (h), days (d), etc. if
desired.
Note: The default value is 30 minutes.
5. Save the changes you made to file and then close the file.
6. Click the Save icon to save the configuration changes and rebuild the
configuration and database files. This will also automatically restart the
sendmail servers.

C HAPTER 12
Setting Up Web Services
About this chapter This chapter describes the Web options available with the Sidewinder
G2. It covers the following topics:
An overview of
Web Services on
Sidewinder G2
“An overview of Web Services on Sidewinder G2” on page 12-1
“Implementation options for Web access” on page 12-3
“Using the HTTP proxy” on page 12-6
“Using the Web proxy server” on page 12-10
“Configuring the Web proxy server” on page 12-12
“Configuring browsers for the Web proxy server” on page 12-19
The Sidewinder G2 allows you to control connections between your
internal network(s) and the World Wide Web. Using Application
Defenses, you can configure the appropriate rules to protect a client
(outgoing traffic), server (incoming traffic), or both behind your
Sidewinder G2. You can also configure whether you will allow
transparent, non-transparent, or both connections on a per-rule basis.
Note: For information on configuring Application Defenses, see Chapter 6.
The following two sections provide a summary of the three most
common types of Web access that you can configure on the
Sidewinder G2.
Web access for users on your internal network
Your internal users can access Web servers on the Internet or on a
trusted network. In either case, access can be regulated using a Web
proxy (HTTP or HTTPS), the Web proxy server, or both. When
internal users have access to an external Web server, it is called
"outbound traffic."
12
Setting Up Web Services 12-1

12
An overview of Web Services on Sidewinder G2
Figure 12-1. Web access
for users on your internal
network
Figure 12-2. Access to
your Web server by
untrusted external users
12-2 Setting Up Web Services
internal network
internal
Web site
Web server
DMZ burb
Web proxy
Internet
external network
Web server
Web site
Access to your Web server by untrusted external users
You can set up a Web server on a network controlled by your
Sidewinder G2. The Web server should be contained on an isolated
burb and network. Untrusted external users will be able to access this
Web server only if a Web proxy is enabled on the Sidewinder G2. You
can configure a Web proxy (HTTP/HTTPS), the Web proxy server, or
both to allow external users passage through the Sidewinder G2 to
the Web server. When external users have access to an internal Web
server, the traffic is called "inbound traffic."
internal network
internal
Web site
Web server
DMZ burb
Web proxy
Internet
external network
external user

Figure 12-3. Access to the
internal network by
trusted external users
Implementation
options for Web
access
Implementation options for Web access
Access to your internal network by trusted external users
You can configure clientless VPN (SSL-based VPN) services for your
trusted external users. Clientless VPN enables trusted external users
(for example, remote employees) to establish an SSL connection to
the internal network without requiring a dedicated VPN client. Trusted
external users can establish a VPN connection from any client that is
capable of handling SSL (such as a standard Web browser). A
common example of using clientless VPN is to allow a trusted external
user access to an internal mail server, such as Microsoft Exchange ®
Server, as shown in Figure 12-3. For information on configuring the
Sidewinder G2 to allow clientless VPN for trusted remote users, see
“Setting up clientless VPN access for trusted remote users” on page
12-8.
Web server
internal mail
server
internal network
HTTPS
proxy
Internet
external network
= VPN tunnel
= Data
trusted clientless
VPN user
Web access can be controlled using a Web proxy (HTTP or HTTPS),
the Web proxy server, or both. These Web options are typically used
in one of three configuration options, as shown in the following
examples:
Option 1: HTTP proxy regulates all Web traffic.
Option 2: Web proxy server regulates all Web traffic.
Option 3: Web proxy server regulates traffic from the trusted burbs
and the HTTP proxy regulates traffic from the Internet burb.
Setting Up Web Services 12-3

Implementation options for Web access
Figure 12-4. Option 1:
The HTTP proxy passes
all Web traffic
12-4 Setting Up Web Services
Option 1: HTTP proxy passes all Web traffic
Option 1 depicts a scenario in which the HTTP (or HTTPS) proxy
regulates Web traffic moving between all burbs on the Sidewinder G2.
Using the appropriate Web Application Defenses within your HTTP/
HTTPS proxy rules, you can configure URL properties, perform
request and reply header filtering, perform MIME/anti-virus filtering,
and deny certain types of Web content. You can also configure
whether allowed connections can be transparent, non-transparent, or
both. If you configure transparent HTTP, it will appear to a user that
they are connecting directly to Web server rather than connecting to
the Sidewinder G2 first. The HTTPS proxy also allows you perform
SSL decryption. Figure 12-4 illustrates the HTTP proxy regulating all
Web traffic.
internal user
internal
Web site
Web server
DMZ burb
HTTP proxy
Internet
internal network external network
Option 2: Web proxy server regulates all Web traffic
external user
Web server
Web site
In Option 2, the Web proxy server regulates Web traffic between all
burbs. This option is generally used in larger companies that have
security policies about how employees can use the Web. The Web
proxy server is the best option if you want to provide caching and
SmartFilter services on the Sidewinder G2. In general, caching does
not apply to Internet users that access a Web site on your internal
network. (Option 3 illustrates a more likely scenarios for using the
caching feature.)
Note: For more information on using the Web proxy server, refer to “Using the Web proxy
server” on page 12-10.

Figure 12-5. Option 2:
The Web proxy server
regulates all Web traffic
Figure 12-6. Option 3:
Web proxy server
regulates traffic from the
trusted burbs while HTTP
proxy passes traffic from
the Internet burb
internal user
internal
Web site
Web server
DMZ burb
Web proxy
Server
Implementation options for Web access
Internet
internal network external network
external user
Web server
Web site
Option 3: Web proxy server regulates traffic from the internal burbs
and the HTTP proxy passes traffic from the Internet burb
Option 3 depicts a scenario using both the HTTP proxy and the Web
proxy server. In this scenario, the HTTP proxy regulates Web traffic
coming from the Internet to a Web server on a trusted internal
network. The Web proxy server is configured to regulate Web traffic
that is initiated from an internal burb. The Web server being accessed
can reside on another isolated burb, or on the external burb.
Companies may want to restrict employee access to certain sites using
a Web filtering product such as Secure Computing’s SmartFilter
software.
internal user
internal
Web site
Web server
DMZ burb
HTTP proxy
Web proxy
server
Internet
internal network external network
external user
Web server
Web site
Setting Up Web Services 12-5

Using the HTTP proxy
Using the HTTP
proxy
12-6 Setting Up Web Services
Using the appropriate Web Application Defenses, you can configure
additional HTTP proxy rules that control URL properties, perform
request and reply header filtering, perform MIME/anti-virus filtering,
and deny certain types of Web content. You can also configure
whether connections will be transparent or non-transparent. If you
configure transparent HTTP, it will appear to a user that they are
connecting directly to the Web server rather than connecting to the
Sidewinder G2 first. See “Creating Web or Secure Web Application
Defenses” on page 6-4.
Using the HTTP proxy has the following limitations:
SmartFilter services are not available
Caching is not available
If you configured your Sidewinder G2 to use Standard Internet
services (the default configuration option), a rule called
InternetServices is automatically configured and placed in the active
proxy rule group. This rule consists of a service group with the HTTP
service included, allowing Web access from your internal network to
external networks using the HTTP proxy. However, you must enable
the HTTP proxy before the rule can pass traffic. (For information on
enabling the HTTP proxy, see “Configuring proxies” on page 8-28.)
Once the HTTP proxy is enabled, users on your internal network can
connect to the Web using any Web browser; the connections will be
routed through the Sidewinder G2 on port 80.
Figure 12-7 depicts access to external Web servers via an HTTP proxy
rule using port 80 allowing transparent connections. Figure 12-8
depicts access to Web servers via non-transparent HTTP proxy rule
using ports other than 80. (Transparency is configured on a per-rule
basis via Application Defenses.)
Note: For information on configuring the HTTP proxy, see “HTTP/HTTPS considerations”
on page 8-18.

Figure 12-7. Standard
(transparent) HTTP
proxy
Figure 12-8. Nontransparent
HTTP proxy
Web
browser
Web
browser
port 8080
port 80
port 8080
or any other
port
Setting up Web access using the HTTP proxy
Using the HTTP proxy
The following steps provide an overview of the tasks you must do to
set up Web access using the HTTP proxy on port 80.
1. Configure the appropriate proxy rules to restrict Web access.
A rule called InternetServices is automatically configured and placed in
the active proxy rule group. This rule consists of a service group that
includes basic HTTP access from your internal network to external
networks using the HTTP proxy. Once you enable the HTTP proxy, the
proxy rule allows all internal users to access Web sites.
You can create additional HTTP proxy rule(s) to control which internal
systems users can browse from and to which external systems they can
connect. You can also configure advanced HTTP properties (such as
transparency and MIME/anti-virus filtering) for a rule via Application
Defenses. (See Chapter 6 for information on creating Application
Defenses, and Chapter 7 for information on creating rules.)
2. Enable the HTTP proxy. The procedure to enable the HTTP proxy is
described in “Configuring proxies” on page 8-28.
3. Test the HTTP proxy.
internal
network
HTTP
http
proxy
Sidewinder G2
external
network
port 80
internal
external
network network
HTTP
nt_http
proxy
Sidewinder G2
Internet
Internet
Web site
Web server
port 80 Web site
or any other
port
Web server
Setting Up Web Services 12-7

Using the HTTP proxy
12-8 Setting Up Web Services
After you enable the proxy, you should test it by starting a Web browser
from one of your internal systems, and entering the address of a Web
site you know is valid—for example, you could attempt to access
Secure Computing at the following URL:
http://www.securecomputing.com.
Note: Make sure you use a system from which you did not deny access.
Setting up clientless VPN access for trusted remote users
This section provides guidance on configuring clientless VPN access
for your trusted remote users. When configuring clientless VPN
access, you can configure whether or not the Sidewinder G2 will
require proxy authentication. If you configure the Sidewinder G2 to
require proxy authentication, you must use SSO authentication.
Follow the steps below.
Note: You must have SSL Decryption and Strong Cryptography licensed to configure
clientless VPN services.
1. Enable the HTTPS proxy for the appropriate burbs. For information on
enabling proxies, see “Configuring proxies” on page 8-28.
2. Create an IP address network object for the protected server to which
your remote trusted users will be connecting (for example, a Microsoft
Exchange Server). For information on creating an IP address network
object, see “Configuring IP address objects” on page 5-15.
3. Create a Secure Web Application Defense with the following
configuration:
Note: For more information on configuring a Secure Web Application Defense, see
“Creating Web or Secure Web Application Defenses” on page 6-4.
a. In the Type field, select Server.
b. Select the Decrypt Web Traffic check box.
c. [Optional] If you are configuring remote access to an internal
Microsoft Exchange Server, select the Rewrite Microsoft OWA HTTP
check box.
d. Select the appropriate Firewall Certificate.
e. Select the Encryption/Decryption Methods you want to allow.
f. [Optional] Configure additional Secure Web Server Enforcements.
g. Click the Save icon to save the new defense.

Using the HTTP proxy
4. Create an HTTPS proxy rule to allow access. The fields listed below must
be configured as specified:
Note: You can configure rule fields that are not listed below as you see fit. For more
information on creating proxy rules, see “Creating proxy rules” on page 7-4.
General tab—Service Type=Proxy, Service=HTTPS, Action=Allow
Source/Dest tab—Redirect Host=IP Address network object for the
protected server, Redirect Port=80
[Optional] Authentication tab—If you want to require users to
authenticate via the proxy before being allowed access, you will
need to select Authenticate using SSO.
[Optional] Time tab—Configure as needed.
Application Defense tab—Select the defense you created in
step 3.
5. Add the HTTPS proxy rule to the active proxy rule group.
Once this rule is included in the active rule group, the Sidewinder G2 is
ready to allow trusted remote users access to the internal network.
How trusted remote users gain access to the internal network
This section lists the steps required for trusted remote users to gain
access to a protected internal server. The procedure will vary
depending on whether you have configured the HTTPS proxy rule to
require authentication.
If a user is not required to authenticate via the proxy:
1. Point your browser to the Sidewinder G2 decrypting HTTPS proxy (for
example, https://SWG2_address.com).
Note: Your Web browser may prompt you to approve the certificate that is
presented by the Sidewinder G2.
2. Authenticate to the server. If your server requires authentication, an
authentication prompt will appear. When you successfully authenticate,
you will be allowed to access that server.
If a user is required to authenticate via the proxy:
1. Point your browser to the Sidewinder G2 SSO direct login page and
authenticate.
2. [Conditional] If the server you are accessing requires certificate
validation, you will need to approve the certificate before you can
authenticate to the server.
Setting Up Web Services 12-9

Using the Web proxy server
Using the Web
proxy server
Figure 12-9. Sidewinder
G2 Web proxy server
12-10 Setting Up Web Services
3. Authenticate to the server. If your server requires authentication, an
authentication prompt will appear. When you successfully authenticate,
you will be allowed to access that server.
To allow Web access from an internal burb to an external burb using
the Web proxy server, you will need to set up the appropriate proxy
rule and enable the Web proxy server. Once the Web proxy server is
enabled, users on that internal burb can connect to the Web using a
Web browser by pointing at port 3128 (or whatever port you have
configured to use for the Web proxy server).
Figure 12-9 shows an example Web proxy server configuration.
Web
browser
port 3128
internal external
network network
Sidewinder G2
Internet
port 80
Web server
Web site
port 8080
(or any port
number you configured)
By using the Web proxy server you gain the following advantages.
Web access control using SmartFilter—When you route Web traffic
through the Web proxy server, you can control access by your
employees to Web sites based on content. For example, you can
block access to sites that provide sexually explicit or illegal
material using Secure Computing’s SmartFilter. Advanced
SmartFilter properties can be configured on a per-rule basis using
Application Defenses. (See Appendix E for information on using
SmartFilter with the Sidewinder G2).

Using the Web proxy server
Caching—The Web proxy server provides support for Web caching
on the Sidewinder G2. Web caching can improve performance of a
user’s Web browser by caching Web documents in the Sidewinder
G2 cache memory. When a user accesses a Web site, each new
Web page that the caching server downloads is also saved in cache
memory. The next time the user requests that page, the caching
server retrieves it from the cache rather than downloading it from
the network a second time.
Important: If you use the Web proxy server in non-transparent mode, all Web
browsers on your internal workstations must be configured to point to the
Sidewinder G2 internal name and to whatever port you have configured for the Web
proxy server. For information on what users need to do to configure their Web
browser, see “Configuring browsers for the Web proxy server” on page 12-19.
Setting up Web access using the Web proxy server
The following steps provide an overview of the tasks you must do to
set up Web access using the Web proxy server.
1. Configure the appropriate proxy rules to restrict Web access.
Once you enable the Web proxy server, you must configure one or
more proxy rules to control the burbs from which users can browse, and
to which burbs they can connect. See Chapter 7 for detailed
information on setting up proxy rules.
Note: When configuring the proxy rule for a Web proxy server connection, be sure to
specify Server in the Service Type field.
2. Configure and enable the Web proxy server. See “Configuring the Web
proxy server” on page 12-12.
3. [Optional] Configure authentication Web users.
You can configure the Sidewinder G2 to authenticate all users
requesting Web service using either a basic UNIX password or stronger
authentication methods before the Sidewinder G2 makes the network
connection. Refer to “Configuring authentication services” on page 9-11
for details on the authentication methods supported by the Sidewinder
G2.
4. Inform users how to configure their Web browsers. See “Configuring
browsers for the Web proxy server” on page 12-19.
Setting Up Web Services 12-11

Configuring the Web proxy server
Configuring the
Web proxy server
12-12 Setting Up Web Services
5. Test a Web connection.
You can test the Web proxy server by starting a Web browser from one
of your internal systems, and entering the address of a Web site you
know is valid—for example, you could attempt to access Secure
Computing at the following URL:
http://www.securecomputing.com.
Note: Make sure you use a system from which you did not deny access.
Error messages when using the Web proxy server
If you configure a Web proxy server proxy rule to deny a particular
Web connection and that connection is attempted by a user, the
message Access Denied by Firewall Access Rules is sent to the
user. This message is stored in the following file:
/usr/local/squid/etc/cvs/errors/ERR_SCC_DENIED
The message that appears can be modified by editing the file above.
Note: You must be in the Admn domain to edit this file.
If the file does not exist or is empty, the following message is issued
to the user:
Forbidden by proxy ACL check
To configure the Web proxy server, follow the steps below.
1. In the Admin Console, select Services Configuration -> Servers. The
Servers window appears.
2. Select WebProxy from the Server Name list. The Control tab for the Web
proxy server appears.

Figure 12-10. Web proxy
server window: Control
tab
Configuring the Web proxy
server Control tab
Figure 12-11. Web Proxy
Server window:
Configuration tab
Configuring the Web Proxy
Server Configuration tab
Configuring the Web proxy server
The Control tab allows you to enable or disable the Web proxy server.
Follow the steps below.
1. Select Enable to enable the Web proxy server.
2. To configure the properties for the Web proxy server, click the
Configuration tab. Follow the step below to configure the Configuration
tab.
The WebProxy Configuration tab allows you to determine how the
WebProxy server will be used in your system. Follow the steps below.
Note: The authentication method used by Squid is determined by the authentication
method specified within the proxy rule.
Setting Up Web Services 12-13

Configuring the Web proxy server
12-14 Setting Up Web Services
1. If you want to use SmartFilter to control Web access, select the Enable
SmartFilter Control List check box. If SmartFilter is enabled, you must
enter your SmartFilter subscription information in the SmartFilter
window. See “Configuring SmartFilter on the Sidewinder G2” on page A-
3 for details.
2. If you want the client IP address to be included in the request header,
select the Include Client Address in Requests check box.
3. Specify the amount of time you want to allow before a timeout occurs
by entering a numeral in the Timeout for HTTP Requests field, and then
select a unit of measurement from the drop-down list. The default is 30
seconds.
4. Configure the client connections that you want to allow. All client
connections that are currently configured are displayed in the Allow
Client Connections On area of the Configuration tab.
Note: Do not configure more than 31 entries in this list.
The following configuration options are available:
New—Click this button to add a new client connection. The
Configuration: Allowed Client Connections window appears. For
specific information on adding a new client connection, refer to
“Adding or modifying a client connection” on page 12-14.
Modify—Highlight the client connection you want to modify and
click this button to make changes to an existing client connection.
The Configuration: Allowed Client Connections window appears.
For specific information on adding a new client connection, refer
to “Adding or modifying a client connection” on page 12-14.
Delete—Highlight the client connection you want to delete and
click this button to delete an existing client connection. A
confirmation window appears. Click Yes to confirm the deletion.
Click No to cancel the request without deleting the client
connection.
5. Click the save icon in the toolbar to save your changes.
Adding or modifying a client connection
To add or modify a client connection in the Configuration: Allowed
Client Connections window, follow the steps below.
1. Specify the burb that on which you want the WebProxy server to listen
from the Burb Name drop-down list.

Figure 12-12. Web Proxy
Server window: Cache
tab
Configuring the Web Proxy
Server Cache tab
Configuring the Web proxy server
2. Specify the port number on which you want the WebProxy server to
listen in the Port Number field. You can use the drop-down list to select
a predefined port, or you can type a port number into the field.
3. Specify the type of IP address that you want the WebProxy server to
listen on from the Address drop-down list. The following options are
available:
Any—Select this option if you want to allow the Web Proxy server
to listen on any IP address for the burb that you selected.
Designated—Select this option if you want to specify the address
on which the WebProxy server will listen. The address you specify
must be located in the burb you selected in the Burb Name field.
4. Click Add to add this client connection to the list of WebProxy server
client connections (click OK if you are modifying the client connection).
5. To add an additional client connection, repeat step 1–step 4.
6. When you are finished adding or modifying client connections, click
Close.
Configuring caching options
To configure the caching options for the Web Proxy server, select
Services Configuration -> Servers. The Servers window appears. Select
WebProxy from the Server Name list, and then click the Cache tab. The
following window appears:
The WebProxy server Cache tab allows you to define disk and memory
characteristics for the Web proxy server. Disk caching allows Web
browsers to store information on the Sidewinder G2 for frequentlyused
sites, so information does not have to be downloaded each time
a site is accessed. To configure the WebProxy server using the Cache
tab, follow the steps below.
Setting Up Web Services 12-15

Configuring the Web proxy server
Figure 12-13. Web Proxy
Server window: Filtering
tab
12-16 Setting Up Web Services
1. Specify the name of the cache root directory in the Directory field. This
is the name of the directory in which cached files will be stored. The
default directory is /var/cache.
2. Specify the maximum amount of disk space (in MB) that can be used for
disk caching in the Maximum disk usage field. You should specify a
value of 1 or greater.
Note 1: Specifying zero does not turn off caching. To disable caching, you must edit
the file named squid.conf.template.
Note 2: The cache limit specified here is an approximate limit. That is, the actual
cached data may exceed what you specify in this field.
3. Specify the maximum amount of memory that can be used for disk
caching in the Maximum memory usage field.
4. In the Delete unused items after field, specify how long items will remain
in the cache directory before they are deleted
5. Click the save icon in the toolbar to save your changes.
Note: It may take a few minutes for any changes on this window to take effect.
Configuring HTTP filtering options
Select Services Configuration -> Servers. The Servers window appears.
Select WebProxy from the Server Name list, and then click the Filtering
tab. The following window appears:

Configuring Web Proxy
Server HTTP filtering
Configuring the Web proxy server
The WebProxy server Filtering tab allows you to define HTTP header
filtering. To configure the WebProxy server filtering, select the type of
HTTP header filtering you want, if any. The following options are
available:
None—Select this option if you do not want to use HTTP header
filtering.
Standard—Select this option if you want to deny the a basic set of
headers (the headers that will be denied are automatically selected
for you).
Paranoid—Select this option if you want to allow only the headers
that RFC-compliant. (All other headers will be denied.)
Custom—Select this option if you want to configure which HTTP
header types you will allow and deny. When you select a header
in the header list, you can also determine whether to Allow or Deny
the headers you select in the Filter Option field. You can also add,
delete, or clear HTTP header types in the HTTP Header Types list,
as follows:
— To add a new HTTP header type, click New. The New Custom
Header Type window appears. Enter the new header type and
click OK.
— To delete a custom HTTP header type, click Delete. The Select
a Custom Header Type to delete window appears. This
window contains a list of custom HTTP header types that have
been created. To delete a custom header, select the header
you want to delete and click OK. (The Delete button is grayed
out if you do not have any custom headers configured.)
— To de-select all HTTP header types from the HTTP Header
Types list, click Clear.
Manually editing the configuration file
Select Services Configuration -> Servers. The Servers window appears.
Select WebProxy from the Server Name list, and then click the
Advanced tab. The following window appears:
Setting Up Web Services 12-17

Configuring the Web proxy server
Figure 12-14. Web Proxy
Server window:
Advanced tab
Configuring the Web Proxy
Server Advanced tab
12-18 Setting Up Web Services
The WebProxy server Advanced tab allows you to edit the
squid.conf.template file directly rather than through the Web Proxy
Server windows. The Advanced window contains only one button
labelled Edit Squid Configuration. This button allows you to edit the
squid.conf.template file manually using the File Editor.
Important: If you manually edit the squid.conf.template file using the File Editor (or via
command line) you will need to run cf www reconfigure to update squid.conf and reread
the configuration files. Only an experienced administrator should manually edit the
squid.conf.template file directly.
The tabbed information on the Web Proxy Server windows is a subset
of the information in the squid.conf.template file. The tabs include the
information most likely to be changed. When you enter or update
information on any of the tabs of the Web Proxy Server window, you
are actually updating the squid.conf.template file.
When you enter or update information on any of the tabs, the Edit
Squid Configuration button becomes inactive until you click the Save
icon in the upper left portion of the window. This is to prevent the
changes that you have made using the Admin Console to become
overwritten by manual changes you might make to the file. When you
click the Save icon, the Edit Squid Configuration button becomes active
again.
Changing to transparent mode
The Web proxy server is in non-transparent mode when Sidewinder
G2 is initially installed. If you want the Web proxy server to operate in
transparent mode, do the following. (For information on transparent
vs. non-transparent mode, see “Transparent & non-transparent
proxies” on page 8-14.)

Configuring
browsers for the
Web proxy server
Configuring browsers for the Web proxy server
1. Select Services Configuration -> Servers. Highlight WebProxy in the list of
server names, then click the Advanced tab.
2. Click Edit Squid Configuration.
Note: If desired, you can also edit this file using a text editor such as vi, pico, or
emacs. The file resides in /etc/sidewinder/proxy/squid/squid.conf.template.
Set the following values within the "HTTP ACCELLERATION" lines in this
file.
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
3. Save and close the file.
4. Click the Configuration tab and configure the Web proxy server to listen
on port 80. See “Configuring the Web Proxy Server Configuration tab”
on page 12-13 for details.
5. Click the save icon in the toolbar to save your changes.
You should inform users on your internal network how they should
configure their Web browsers to use the Web proxy server.
Note: You should not need to configure your browsers if you are in transparent mode.
To set up the browsers to work with the Web proxy server for Web
connections, there are two basic steps:
Specify the Sidewinder G2 fully qualified host name or IP address
in the browser’s proxy line.
Specify port number 3128 or whatever port you configured for the
Web proxy server.
Below are the setup procedures for recent versions of Mozilla Firefox,
Internet Explorer, and Netscape. If your users have older versions,
consider providing them with the latest version. For other browsers,
consult that browser’s documentation for defining an HTTP proxy
server.
Setting Up Web Services 12-19

Configuring browsers for the Web proxy server
12-20 Setting Up Web Services
Mozilla Firefox 1.0
To configure Mozilla Firefox for the Web proxy server, do the
following:
1. Start the Mozilla Firefox browser and select Tools -> Options.
2. Click Connection Settings.
3. Select the Manual Proxy Configuration radio button.
4. In the HTTP Proxy field, enter the fully qualified host name or IP address
of your Sidewinder G2. For example:
SWG2name.bizname.com
5. In the corresponding Port field, enter 3128 or whatever port you
configured for the Web proxy server.
6. Click OK.
Internet Explorer 4.0
To configure Internet Explorer 4.0 for the Web proxy server, do the
following:
1. Open the Control Panel window.
2. Double click the Internet icon.
3. Click on the Connection tab. In the Proxy Server section enable the
option titled Access the Internet using a proxy server.
4. Fill in the text boxes next to HTTP Proxy and Port.
For the HTTP Proxy field, enter the fully qualified host name or IP
address of your Sidewinder G2. For example:
SWG2name.bizname.com
For the port field, enter 3128 or whatever port you configured for
the Web proxy server.
5. Click OK.

Internet Explorer 5.x/6.x
Configuring browsers for the Web proxy server
To configure Internet Explorer 5.x for the Web proxy server, do the
following:
1. Start the Internet Explorer browser and select Tools -> Internet Options.
2. Click the Connections tab.
3. Click LAN Settings.
4. Check the Use a Proxy Server box.
For the Address field, enter the fully qualified host name or IP
address of your Sidewinder G2. For example:
SWG2name.bizname.com
For the Port field, enter 3128 or whatever port you configured for
the Web proxy server.
5. Click OK.
Netscape version 6.x/7.x
To configure Netscape 6.x/7.xfor the Web proxy server, do the
following:
Important: As an administrator, be aware that some versions of Netscape will
remember the user ID and password after the browser is closed and will not reauthenticate
a user after the browser is restarted. This is a security concern when multiple
users share a workstation or do not lock their systems.
1. Start the Netscape browser and select Edit -> Preferences.
2. Select the Advanced -> Proxies category.
3. Select Manual proxy configuration.
4. Fill in the text boxes next to HTTP Proxy and Port as follows:
For the HTTP Proxy field, enter the fully qualified host name or IP
address of your Sidewinder G2. For example:
SWG2name.bizname.com
For the Port field, enter 3128 (or whatever port you configured for
the Web proxy server).
5. Click OK.
Setting Up Web Services 12-21

Configuring browsers for the Web proxy server
12-22 Setting Up Web Services
Certain browsers on UNIX
For some UNIX browsers that do not have a proxy configuration
screen, you must set the http_proxy environment variable to
http://sidewinder.com:3128/. To do so, edit either the C shell or the
Bourne shell, as follows:
Enter the following command in the C shell (CSH):
setenv http_proxy http://SWG2name.bizname.com:3128/
Enter the following command in the Bourne shell:
http_proxy="http://SWG2name.bizname.com:3128/"

1
C HAPTER 13
Configuring Virtual Private
Networks
About this chapter If you have purchased the virtual private network (VPN) option for
the Sidewinder G2, you can establish encrypted data transmissions
between two Internet-Protocol Security (IPSec)-compliant servers.
This chapter introduces the standards of IPSec and Internet Key
Exchange (IKE) and describes the Sidewinder G2 embedded VPN
solution. This chapter includes ‘the following topics:
Sidewinder G2
VPN overview
“Sidewinder G2 VPN overview” on page 13-1
“Configuring the ISAKMP server” on page 13-11
“Configuring the Certificate server” on page 13-13
“Understanding virtual burbs” on page 13-15
“Configuring client address pools” on page 13-18
“Configuring Certificate Management” on page 13-27
“Importing and exporting certificates” on page 13-44
“Configuring VPN Security Associations” on page 13-51
“Example VPN Scenarios” on page 13-65
The Sidewinder G2 VPN solution provides secure data transmission
through an encryption and decryption process. The Sidewinder G2
uses the Internet Key Exchange (IKE) to support this process. The
Sidewinder G2 also supports the use of manually configured
encryption keys.
13
Configuring Virtual Private Networks 13-1

13
Sidewinder G2 VPN overview
Figure 13-1.
Sidewinder G2s, an IPSec
or IKE remote site, or a
VPN client machine
13-2 Configuring Virtual Private Networks
Toronto
London
Certificate
server
Internet
One of the most advanced features of the Sidewinder G2 VPN
solution is the fact that VPN has been embedded into the architecture,
making it an operating characteristic of the OS. This integration not
only lets you apply access rules to VPNs in exactly the same way you
do for physically connected networks but also means that you use the
Sidewinder G2 VPN solution to coordinate corporate-wide network
security policies.
As companies expand to new locations and employees spend more
time working out of the office, VPN solutions are becoming more and
more important to businesses. Consider the value of encrypting and
authenticating data in these situations:
passing traffic from Sidewinder G2 to Sidewinder G2 between
offices located in different cities.
passing traffic from employees working remotely to your network.
An introduction to IPSec technology
Any IPSec
remote site
VPN client
Sydney
The Internet is a broadcast medium that is used to send information.
While information is in transit, anyone can choose to monitor or
intercept this information.

Protecting your
information
What are encryption and
authentication?
Sidewinder G2 VPN overview
Sending information beyond your Sidewinder G2 via the Internet is
like sending an unsealed envelope of important information via a
courier service: you must trust that the courier will not read or steal
the information.
To address this danger, an organization known as IETF (Internet
Engineering Task Force) developed a standard for protecting data on
unprotected (or untrusted) networks such as the Internet. The
standard has become known as IPSec, meaning Internet-Protocol
Security. In brief, IPSec calls for encrypting the data before it leaves
the local host, then decrypting it (removing its “cloak” of encryption)
when it is received at the destination or remote host. Once it is
decrypted, the data assumes its original form and can be read as
intended. No matter how long or circuitous its route through the
Internet, the data remains private by virtue of its encryption.
The two main components of IPSec security are encryption and
authentication.
Encryption — Encryption is the means by which plain text is
“cloaked.” It ensures that the transmitted data remains private and
unreadable until properly decrypted. The Sidewinder G2 uses an
encryption key to encipher and decipher each unit of data sent
between your site and the “partner” or remote VPN site. (See
“About IPSec keys” on page 13-4.)
Authentication — VPN authentication prevents unauthorized
individuals from tampering with the contents of the data being
transmitted. It also prevents them from creating messages that
claim to come from a particular place but are actually sent from
somewhere else (such as the hacker’s home computer).
Authentication is accomplished through two methods:
— Data-integrity checking, which allows the receiver to verify
whether the data was modified or corrupted during transmission.
— Sender identification, which allows the receiver to verify
whether the data transmission originated from the source that
claims to have sent it.
Configuring Virtual Private Networks 13-3

Sidewinder G2 VPN overview
13-4 Configuring Virtual Private Networks
When used together, encryption and authentication are very much
like writing an encoded message, sealing it in an envelope, and then
signing your name across the flap. The receiver can first verify that the
signature is yours as a means of determining the origin of the
message. Next, the receiver can determine if the contents have been
viewed or altered by checking that the envelope seal has not been
compromised. Once the receiver is assured of the authenticity of the
message, they can decode the contents and “trust” that the contents
are as intended.
VPN configuration options
VPN involves establishing an association (or a trust relationship)
between your Sidewinder G2 and an IPSec-compliant remote
Sidewinder G2, host, or client. (These entities are referred to as “VPN
peers.”) Once this trust relationship is defined, data sent between the
two ends is encrypted and then authenticated before it is transmitted.
There are three important concepts that comprise the Sidewinder G2
VPN:
IPSec keys, which determine how the information is encrypted
and decrypted, and may be manually or automatically exchanged.
certificates, pre-shared passwords, and extended authentication,
which authenticate the VPN peer.
tunnel or transport encapsulation, two methods of how header
information is passed.
Understanding the options associated with each concept will assist
you greatly in creating your security association. Study the following
information to help you determine which VPN configuration best suits
your network environment.
About IPSec keys
A key is a number that is used to electronically sign, encrypt and
authenticate data when you send it, and decrypt and authenticate
your data when it is received. When a VPN is established between
two sites, two keys are generated for each remote end: an encryption
key and an authentication key.

Sidewinder G2 VPN overview
To prevent these keys from being guessed or calculated by a third
party, a key is a large number. Encryption and authentication (or
session) keys are unique to each VPN security association you create.
Once generated, these keys are exchanged (either automatically or
manually) between the sites, so that each end of the VPN knows the
other end’s keys.
To generate key pairs, the Sidewinder G2 gives you two options:
Manual key generation — If the remote site is not Internet Key
Exchange (IKE)-compliant, you may want to choose the manual
method of key generation. With this method, the Sidewinder G2
provides randomly-generated encryption and authentication keys
(or you can create your own) which you must copy and pass to
the remote end of the VPN via secure e-mail, diskette, or
telephone. Repeat this process each time you generate keys.
Manual keys are more labor intensive than automatic keys and
rarely used.
Automatic key generation using IKE — If the remote end of your VPN
uses the IKE protocol, the Sidewinder G2 can manage the
generation of session keys between sites automatically. This
process also regularly changes the keys to avoid key-guessing
attacks. Automatic keys are very common in today’s network
environments.
Authenticating IKE VPNs
If you are using manual key generation, each time you generate
session keys you must communicate directly with the other end of the
VPN via telephone, diskette, or e-mail. By contacting the remote end
of the VPN each time you change session keys, you manually verify
that the remote end is actually whom they claim to be.
With automatic key generation, once you gather the initial information
for the remote end of the VPN, there is no further direct contact
between you and the remote end of the VPN. Session keys are
automatically and continually generated and updated based on this
initial identifying information. As a result, the Sidewinder G2 requires
a way to assure that the machine with which you are negotiating
session keys is actually whom they claim to be - a way to authenticate
the other end of the VPN. To allow automatic key generation, the
Sidewinder G2 offers the following authentication techniques:
Configuring Virtual Private Networks 13-5

Sidewinder G2 VPN overview
13-6 Configuring Virtual Private Networks
a pre-shared password — When you must generate keys, the
Sidewinder G2 and the remote end must both use the agreed upon
password, defined during the initial configuration of the VPN, to
authenticate each peer.
a single certificate — Single certificate authentication requires that
the Sidewinder G2 generate a certificate and private key to be kept
on the Sidewinder G2 and a certificate and private key to be
exported and installed on a client. Each certificate, once installed
on its end of a VPN connection, acts as a trust point. A single
certificate (also referred to as a "self-signed certificate") differs from
Certificate Authority (CA) based certificates in that no root
certificate is necessary.
a Certificate Authority policy — The Sidewinder G2 can be configured
to trust certificates from a particular certificate authority (CA).
Thus, it will trust any certificate that is signed by a particular CA
and meets certain administrator-configured requirements on the
identity contained within the certificate. Because of the nature of
this type of policy, Secure Computing recommends that only
locally administered Certificate Authorities be used in this type of
policy. Certificate authorities are described further in “Configuring
Certificate Management” later in this chapter.
Transport mode vs. tunnel mode
There are two methods for encapsulating packets in a VPN
connection: transport mode and tunnel mode. The following
paragraphs provide a description of each method.
Transport mode — In transport mode, only the data portion of the
packet gets encrypted. This means that if a packet is intercepted, a
hacker will not be able to read your information, but will be able
to determine where it is going and where it has originated. This
mode existed before firewalls and was designed for host-to-host
communications.
Tunnel mode — In tunnel mode, both the header information and
the data is encrypted and a new packet header is attached. The
encryption and new packet header act as a secure cloak or
"tunnel" for the data inside. If the packet is intercepted, a hacker
will not be able to determine any information about the true
origin, final destination or data contained within the packet. This
mode is designed to address the needs of hosts that exist behind a
Sidewinder G2. Because the packet header is encrypted, private
source or destination IP addresses can remain hidden.

Configuring hardware acceleration for VPN
Sidewinder G2 VPN overview
When configuring VPNs you have the option of utilizing a Sidewinder
G2 premium feature called VPN hardware acceleration, which is
implemented using a hardware accelerator. When you use a hardware
accelerator, Sidewinder G2 performance may improve because the
VPN encryption, decryption, and authentication tasks are pushed
down to the board level. This frees up the Sidewinder G2 to perform
other tasks and in some cases increases the throughput of your VPN
traffic.
Note: Hardware acceleration cannot be used for policies protected only by
authentication (known as Authentication Header or AH).
To implement VPN hardware acceleration you must do the following:
Install a hardware accelerator. Consult the product documentation
for the accelerator and chassis.
License both the VPN and the hardware acceleration premium
features. See “Activating the Sidewinder G2 license” on page 3-19
for licensing information.
Enable the VPN hardware acceleration feature. This is
accomplished in the Admin Console by selecting Firewall
Administration -> Interface Configuration, then enabling the Enable
vpn_acceleration check box in the Hardware Capabilities area. See
“Modifying the interface configuration” on page 3-50 for details.
Important: When selecting the IPSec crypto algorithms to use with VPN traffic that
will be accelerated, do not use the cast128 or AES algorithms. The current supported
hardware acceleration boards do not support this algorithm. The IPSec crypto
algorithms are defined on the Crypto tab of the Security Associations window.
Configuring a VPN client
To establish an encrypted session between a laptop or desktop
computer with the Sidewinder G2 and gain access to a trusted
network, the user needs to install a VPN client. For details on
installing and configuring your VPN client, consult your product
documentation.
Configuring Virtual Private Networks 13-7

Sidewinder G2 VPN overview
13-8 Configuring Virtual Private Networks
In many cases the VPN client will be SoftRemote ® . Secure Computing
and SafeNet partner to make that VPN client available from Secure
Computing. When you order your SoftRemote client software from
Secure Computing you receive a copy of the VPN Administration
Guide available on the SoftRemote CD. This guide provides detailed
instructions for implementing a VPN using a Sidewinder G2 and
SoftRemote.
Extended Authentication for VPN
The Extended Authentication (XAUTH) option provides an additional
level of security to your VPN network. In addition to the normal
authentication checks inherent during the negotiation process at the
start of every VPN association, Extended Authentication goes one step
further by requiring the person requesting the VPN connection to
validate their identity. The Extended Authentication option is most
useful if you have travelling employees that connect remotely to your
network using laptop computers. If a laptop computer is stolen,
without Extended Authentication it might be possible for an outsider
to illegally access your network. This is because the information
needed to establish the VPN connection (the self-signed certificate,
etc.) is saved within the VPN client software. When Extended
Authentication is used, however, a connection will not be established
until the user enters an additional piece of authentication information
that is not saved on the computer—either a one-time password,
passcode, or PIN. This additional level of authentication renders the
VPN capabilities of the laptop useless when in the hands of a thief.

Sidewinder G2 VPN overview
Implementing Extended Authentication on the Sidewinder G2 is a
simple two step process.
1. Specify the authentication method(s) that are available on your
Sidewinder G2 See “Supported authentication methods” on page 9-5
for information on supported methods.
Do this by selecting VPN Configuration -> ISAKMP Server, then enabling
the desired methods in the Available Authentication Methods field. See
“Configuring the ISAKMP server” on page 13-11 for details.
2. Enable Extended Authentication for the desired VPN security
association(s).
This is accomplished by selecting VPN Configuration -> Security
Associations and then clicking the Require Extended Authentication
check box. See “Entering information on the Authentication tab” on
page 13-56 for more details.
Note: Extended Authentication must also be enabled on the remote client. See your client
software documentation for information on configuring and enabling Extended
Authentication.
What type of VPN authentication should I use?
The Sidewinder G2 supports four different VPN authentication
methods. The characteristics of a VPN peer determine which type of
authentication best fits your VPN configuration. Extend authentication
may be added to any automated authentication method for increased
security.
Note: Extended authentication not available for Sidewinder G2-to-Sidewinder G2
configurations or any configuration that uses a manual key exchange.
Configuring Virtual Private Networks 13-9

Sidewinder G2 VPN overview
13-10 Configuring Virtual Private Networks
Table 13-1. VPN Authentication options
Authentication Summary
Manual key VPN authenticates using a manual key exchanged over a telephone or other secure
connection - keying information is cumbersome to enter and not changed
often, which reduces security
uncommon in today’s networks, but used for resolving interoperability
problems with other vendors’ IPSec products
cannot be used for dynamic IP-assigned clients or gateways
each VPN peer requires its own Sidewinder G2 VPN configuration
Automatic key
shared password
VPN
Automatic key single
certificate VPN
Automatic key
certificate authoritybased
VPN
primary authentication is password sharing with the VPN peer, recommended
to use with Extended Authentication
ideally suited for travelling and home users when paired with a strong
extended authentication, such as SafeWord PremierAccess
may be used with dynamic IP-assigned clients, but the clients must be
configured to use Aggressive Mode.
single Sidewinder G2 VPN configuration can be used to administer many VPN
clients
authenticates using a self-signed public certificate - each VPN peer must first
import the corresponding peer’s certificate
ideally used for a small number of remote clients
used with dynamic IP-assigned clients and gateways
each peer certificate requires its own Sidewinder G2 security association
authenticates each VPN peer by using a certificate signed by a certificate
authority trusted by the other peer
ideally suited for roving client VPN peers (such as those using laptop
computers)
used with dynamic IP-assigned clients and gateways
single Sidewinder G2 security association can be used to administer many VPN
clients.
General guidelines for selecting a VPN authentication type
Here are some general guidelines to follow when you are deciding
which type of VPN to use:
If the VPN peer is not a Secure Computing product, and all other
types of VPN methods do not work, try the manual key VPN.
For a small number of VPN peer clients with dynamically assigned
IP addresses, the single certificate VPN is a cost-effective solution.
A shared password VPN in conjunction with Extended
Authentication is also an option.

Configuring the
ISAKMP server
Figure 13-2. ISAKMP
Server window
Configuring the ISAKMP
Server window
Configuring the ISAKMP server
If the VPN peer has a static IP address, the pre-shared password
VPN is the easiest to configure. Extended Authentication would
not be used in a gateway to gateway configuration as there is no
one to provide the challenge/response.
If there is a large number of VPN peer clients with dynamically
assigned-IP addresses (such as a traveling sales force), the CAbased
VPN is often the easiest to configure and maintain. Another
popular option is to use a pre-shared password VPN in
conjunction with Extended Authentication.
If you are using automatic key exchange, you will need to configure
the Internet Security Association and Key Management Protocol
(ISAKMP) server before using any automatic key VPNs. To configure
the ISAKMP server, select VPN Configuration -> ISAKMP Server. The
following window appears.
The ISAKMP server is used by the Sidewinder G2 to generate and
exchange keys for VPN sessions. To configure the ISAKMP server,
follow the steps below.
1. In the Burbs to Listen on box, select the burbs that will have access to
the ISAKMP server. A checkmark appears next to each burb that has
access to the server.
Configuring Virtual Private Networks 13-11

Configuring the ISAKMP server
13-12 Configuring Virtual Private Networks
2. To allow ISAKMP to send and receive certificates with remote peers
using the ISAKMP protocol, select the Allow Certificate Negotiation
check box. (If you de-select this option, all certificates used to
authenticate remote peers must either be in the local certificate
database or be accessible via LDAP.)
3. In the P1 Retries field, specify the number of times ISAKMP will attempt
to resend a packet for which it has not received a response.
4. In the P1 Retry Timeout field, specify the number of seconds ISAKMP will
use for an initial timeout before resending a packet.
5. In the Audit Level field, select the type of auditing that should be
performed on the ISAKMP server. The options are:
Error—Logs only major errors.
Normal—Logs only major errors and informational messages.
Verbose—Logs all errors and informational messages.
Debug—Logs all errors and informational messages. Also logs all
debug information.
Trace—Logs all errors and informational messages. Also logs
debug and function trace information.
6. In the Available Authentication Methods field, select the authentication
method(s) you want to be made available for VPN associations that use
Extended Authentication. A checkmark appears when an
authentication button is selected. See “Extended Authentication for
VPN” on page 13-8 for a detailed description of Extended
Authentication.
Note: You must configure an authentication method before it can be selected. See
“Configuring authentication services” on page 9-11 for more information.
7. If two or more authentication methods are selected, you should specify
a default method from the Default drop-down list. If a default method is
not selected, the first method selected in the list will be the default
method.
8. Click the Save icon in the toolbar to save your changes.

Configuring the
Certificate server
Allowing access to the ISAKMP server
Configuring the Certificate server
An ISAKMP rule is required in order to allow access to and from the
ISAKMP server. “Creating proxy rules” on page 7-4 describes how to
define a proxy rule. The ISAKMP proxy rule must contain the
following values:
Service Type = Server
Service = isakmp
Src Burb = the Internet burb
Dest. Burb = the Internet burb
Source address = All Source Addresses (or addresses of remote VPN
peers)
Destination address = a network object representing the IP address
of the Internet burb, or a netgroup that contains a network object
representing the IP address of the Internet burb
This ISAKMP rule is implicitly bi-directional, meaning it enables
ISAKMP traffic in both directions.
Enabling/disabling the ISAKMP server
Perform the following steps to enable or disable the ISAKMP server.
1. In the Admin Console, select Services Configuration -> Servers.
2. Select isakmp from the list of server names.
3. Click Enable or Disable.
4. Click the Save icon in the toolbar.
The Certificate server performs a number of functions, including
providing support for the certificate management daemon (CMD) and
for an optional external LDAP server. If the LDAP function is
configured, it can be used to automatically retrieve certificates and
Certificate Revocation Lists (CRLs) from a Version 2 or Version 3
Lightweight Directory Access Protocol (LDAP) Server. The Sidewinder
G2 will attempt to retrieve any certificates and (optionally) any CRLs
that it needs to validate certificates in CA-based VPN. Note that the
LDAP functionality is used only for non-Netscape Certificate
Authorities (for example Baltimore, Entrust, and etc.).
Configuring Virtual Private Networks 13-13

Configuring the Certificate server
Figure 13-3. Server
Control window:
Configuration tab
About the Certificate Server
Configuration tab
13-14 Configuring Virtual Private Networks
Note: In addition to configuring the Certificate server, a root certificate from the
Certificate Authority must be imported into the Certificate Authorities tab for a certificate
issued by the CA to validate.
To configure the Certificate server, select Services Configuration ->
Servers. Select cmd in the list of server names, and then select the
Configuration tab. The following window appears.
The Certificate Server Configuration tab allows you to configure the
Certificate Server. Follow the steps below.
Important: Many of the functions you can perform on this window require the use of
the CMD server. See “Activating the Sidewinder G2 license” on page 3-19 for instructions on
enabling the CMD server.
1. To enable the LDAP feature, select the Use LDAP to search for Certificates
and CRLs check box, and follow the sub-steps below. If enabled, the
Sidewinder G2 will attempt to retrieve the certificates and CRLs it needs
from an LDAP server.
a. In the LDAP Server Address field, type the IP address of the LDAP
server.
b. In the LDAP Server Port field, type the port number on which the
LDAP server listens. The port number is typically 389, but the server
can be configured to listen on different ports.
c. In the LDAP Timeout field, specify the maximum time (in seconds)
that CMD will wait while performing an LDAP search. The valid
range is between 0 and 3600 seconds. The recommend value is
between 5 and 300 seconds.

Understanding
virtual burbs
Understanding virtual burbs
2. In the Maximum Validated Key Cache Size field, specify the maximum
number of validated keys that will be stored in cache memory. Caching
validated keys can increase system performance. Valid ranges are
0–500. A value of 0 indicates that no keys will be cached. For most
systems a value of 100 is sufficient.
3. In the Certificate Key Cache Lifetime field, specify the maximum amount
of time a certificate can remain in the validated key cache before it must
be re-validated. The valid range is 0–168 hours (1 week). A value of 0
indicates that the certificate keys must be re-validated with each use.
4. Select the Perform CRL Checking check box to enable CRL checking. If
this option is disabled, CRL lists will not be consulted when validating
certificates.
5. In the CRL Retrieval Interval for CAs drop-down list, specify how often a
CA is queried in order to retrieve a new CRL.
6. In the Audit Level drop-down list, select the type of auditing that should
be performed on this server. The options are:
Error—Logs only major errors.
Normal—Logs only major errors and informational messages.
Verbose—Logs all errors and informational messages.
Debug—Logs all errors and informational messages. Also logs all
debug information.
Trace—Logs all errors and informational messages. Logs all debug
and function trace information.
7. Click the Save icon in the toolbar.
A virtual burb is a burb that does not contain a network interface card
(NIC). The sole purpose of a virtual burb is to serve as a logical
endpoint for a VPN association. Terminating a VPN association in a
virtual burb accomplishes two important goals:
It separates VPN traffic from non-VPN traffic.
It enables you to enforce a security policy that applies strictly to
your VPN users.
Configuring Virtual Private Networks 13-15

Understanding virtual burbs
Figure 13-4. Virtual burb
vs. a non-virtual burb
VPN implementation
13-16 Configuring Virtual Private Networks
Consider a VPN policy that is implemented without the use of a virtual
burb. Not only will VPN traffic mix with non-VPN traffic, but there is
no way to enforce a different set of rules for the VPN traffic. This is
because proxies and rules are applied on burb basis, not to specific
traffic within a burb. By terminating the VPN in a virtual burb you
effectively isolate the VPN traffic from non-VPN traffic. Plus, you are
able to configure a unique set of rules for the virtual burb that allow
you to control precisely what your VPN users can or cannot do.
Figure 13-4 illustrates this concept.
VPN without a virtual burb
Sidewinder G2
Internal
network
Trusted
burb
Proxies
Internet
burb
VPN with a virtual burb
Sidewinder G2
Internal
network
Trusted
burb
Proxies
Proxies
Virtual
burb
= VPN tunnel
= Data
Internet
burb
Internet
Internet
Non-VPN
Client
VPN
Client
Non-VPN
Client
VPN
Client
Note: Both VPN implementations depicted in Figure 13-4 represent "proxied" VPNs
because proxies must be used to move VPN data between burbs. The use of proxies enables
you to control the resources that a VPN client has access to on your internal network.
A virtual burb can support all the same services as a normal burb. If
traffic coming from the virtual burb is destined to the Sidewinder G2
itself (for example, DNS or SSH) the rule that allows traffic across that
burb must specify a NAT address of localhost. If localhost is not
specified, the Sidewinder G2 will not be able to route traffic back to
the originator.

Understanding virtual burbs
You can define up to 24 physical and virtual burbs. For example, if
you have two distinct types of VPN associations and you want to
apply a different set of rules to each type, create two virtual burbs,
then configure the required proxies and rules for each virtual burb.
One question that might come to mind when using a virtual burb is:
"How does VPN traffic get to the virtual burb if it doesn’t have a
network card?" All VPN traffic originating from the Internet initially
arrives via the network interface card in the Internet burb. A VPN
security association, however, can internally route and logically
terminate VPN traffic in any burb on the Sidewinder G2. By defining a
security association to terminate the VPN in a virtual burb, the VPN
traffic is automatically routed to that virtual burb within the
Sidewinder G2. Thus, the trusted network now recognizes the virtual
burb as the source burb for your VPN traffic. From the virtual burb, a
proxy and rule are needed to move the traffic to a trusted burb with
network access.
Creating and using a virtual burb with a VPN
This section explains how to create a virtual burb on the Sidewinder
G2 and how to use it in a VPN association.
Create the virtual burb 1. In the Admin Console, select Firewall Administration -> Burb
Configuration.
2. Click New.
a. In the Burb Name field, type the name for your virtual burb.
b. Click OK.
3. Click the Save icon.
Configure proxies and rules 4. In the Admin Console, select Services Configuration -> Proxies and
enable the desired proxies in the virtual burb.
Configuring Virtual Private Networks 13-17

Configuring client address pools
Terminate the desired VPN
association in the virtual
burb
Configuring client
address pools
13-18 Configuring Virtual Private Networks
5. Select Policy Configuration -> Rules and define the rules that allow
access to and from the virtual burb.
Note: Be sure to add any rules you create to the active proxy rule group.
The virtual burb should be specified as either the source or destination
burb, depending on the type of rule being defined.
6. Terminate the desired VPN security association(s) in the virtual burb.
See “Configuring VPN Security Associations” on page 13-51 for
information on creating or modifying a VPN association.
Client address pools are used to simplify the management of VPN
clients. They do so by having the Sidewinder G2 manage certain
configuration details on behalf of the client. All the client needs is:
Client software that supports ISAKMP mode-config exchange
Authorization information (a client certificate, a password, etc.)
The address of the Sidewinder G2
Here is how it works: you create a "pool" of IP addresses that will be
used by remote clients when they attempt to make a VPN connection.
When a client attempts a connection, the Sidewinder G2 assigns it one
of the IP addresses available in the address pool. The Sidewinder G2
also negotiates with the client to determine other VPN requirements,
such as which DNS and/or WINS servers will be made available to the
client. If the negotiation is successful, the client is connected and the
VPN association is established.
Note: To date, not all VPN client software supports the negotiation of every client address
pool parameter. Be sure to verify that your client(s) support the necessary features.
The number of IP addresses available in the client address pool is
dictated by the value defined in the Virtual Subnet field. Even though
the client may have a fixed IP address, the address used within the
VPN association is the address assigned to it from the address pool.
The address pool works for both fixed and dynamic clients. This
means that in the scenarios described at the end of this chapter,
address pools could be used in scenario 2 or scenario 3.
You can create multiple client address pools if desired. Grouping VPN
clients into distinct pools allows you to limit the resources the clients
in each group can access.
The following sections explain how to configure client address pools.

Figure 13-5. Client
Address Pools
About the Client Address
Pools window
Configuring a new client address pool
Configuring client address pools
To configure a new Client Address Pool, select VPN Configuration ->
Client Address Pools. The following window appears.
This window allows you to create and modify client address pools.
You can perform the following actions in this window:
Create a new client address pool—To create a new client address
pool, click New in the Pools area. The New Pool window appears.
See “About the New Pool window” on page 13-20.
Delete a client address pool—To delete a client address pool,
highlight the pool in the Pool list and click Delete. Click Yes to
confirm the deletion.
Configure a client address pool—To configure the client address pool
tabs, see the following:
— For information on configuring the Subnets tab, see
“Configuring the Subnets tab” on page 13-20.
— For information on configuring the Servers tab, see
“Configuring the DNS and/or WINS servers” on page 13-22.
— For information on configuring the Fixed IP Map tab, see
“Configuring the fixed IP map” on page 13-24.
Configuring Virtual Private Networks 13-19

Configuring client address pools
About the New Pool
window
13-20 Configuring Virtual Private Networks
The New Pool window allows you to create a new client address
pool. Follow the steps below.
1. In the Pool Name field, type the name of the new address pool.
2. In the Virtual Subnet field, specify the network portion of the IP
addresses that will be used in the client address pool, and the number
of bits to use in the network mask. The network mask specifies the
significant portion of the IP address.
3. In the Define the Local Subnets available to remote clients area, configure
the local networks that will be available to remote clients that establish
a VPN association using an address from the client address pool. The
following options are available:
Create a new local subnet—Click New to define a new entry in the
Local Subnet List. See “Adding or modifying a subnet address” for
details.
Modify a local subnet—Highlight the subnet you want to modify
and click Modify to modify an existing entry in the Local Subnet
List. See “Adding or modifying a subnet address” on page 13-22 for
details.
Delete a local subnet—Highlight the subnet you want to delete
and click Delete to delete an existing entry from the Local Subnet
List.
4. Click Add to add the new client address pool. To configure the Server
tab, see “Configuring the Subnets tab” on page 13-20. To configure the
Fixed IP Map tab, see “Configuring the DNS and/or WINS servers” on
page 13-22.
Configuring the Subnets tab
To configure the virtual subnet address, select VPN Configuration ->
Client Address Pools and select the client address pool that you want to
configure from the Pools list. The following tab appears.

Figure 13-6. Client
Address Pools: Subnets
tab
Configuring the Subnets
tab
Configuring client address pools
The Subnets tab allows you to define the virtual address subnet for
this address pool. You can also specify any local networks that you
want to be accessible to remote clients using this pool. Follow the
steps below.
1. Configure the Virtual Subnet List. This list defines the virtual subnets
that define the IP address ranges that are available within this pool. The
following options are available:
Create a new virtual subnet—Click New to define a new entry in
the Local Subnet List. See “Adding or modifying a subnet address”
for details.
Modify a virtual subnet—Highlight the subnet you want to modify
and click Modify to modify an existing entry in the Local Subnet
List. See “Adding or modifying a subnet address” on page 13-22 for
details.
Delete a virtual subnet—Highlight the subnet you want to delete
and click Delete to delete an existing entry from the Local Subnet
List.
Configuring Virtual Private Networks 13-21

Configuring client address pools
Adding or modifying a
subnet address
13-22 Configuring Virtual Private Networks
2. Configure the Local Subnet List. This list defines the local networks
available to remote clients that establish a VPN association using an
address from the client address pool. The following options are
available:
Create a new local subnet—Click New to define a new entry in the
Local Subnet List. See “Adding or modifying a subnet address” for
details.
Modify a local subnet—Highlight the subnet you want to modify
and click Modify to modify an existing entry in the Local Subnet
List. See “Adding or modifying a subnet address” on page 13-22 for
details.
Delete a local subnet—Highlight the subnet you want to delete
and click Delete to delete an existing entry from the Local Subnet
List.
Important: The client machine’s IP address should not match the internal network’s
subnet, as this configuration could cause internal routing and connectivity issues.
To add or modify an IP address/netmask combination in the New/
Modify Virtual/Local Subnet window, follow the steps below.
1. In the Virtual/Local Subnet field, type the IP address that will be used to
define:
For the Virtual Subnet field—The network portion of the IP
addresses used in the client address pool.
For the Local Subnet List—The network portion of the local
network that will be made available to the VPN clients.
2. In the netmask field, specify the number of bits to use in the network
mask. The network mask specifies the significant portion of the IP
address.
3. Click Add.
4. Click the Save icon.
Configuring the DNS and/or WINS servers
To configure the DNS and/or WINS servers, select VPN Configuration ->
Client Address Pools. Create a new entry or select an existing one, and
then select the Servers tab. The following window appears.

Figure 13-1. Client
Address Pools:
Servers tab
Configuring client address pools
Configuring the Servers tab The Servers tab is used to define the DNS server(s) and/or the WINS
server(s) that will be made available to remote clients. These servers
provide name and address resolution services for devices within the
local network. The DNS servers you specify can reside on the
Sidewinder G2 or be located on another machine in a local or remote
network. WINS servers are never located on the Sidewinder G2. To
configure the Servers tab, follow the steps below.
1. The DNS Servers box lists the DNS servers that will be made available to
VPN clients that establish a connection using an address from the client
address pool. The following options are available:
New—Click this button to create a new DNS server. See “Adding or
modifying a server” for details.
Modify—Select a DNS server and click Modify to modify an
existing DNS server. See “Adding or modifying a server” for details.
Delete—Select the DNS server and click Delete to delete an
existing DNS server.
Configuring Virtual Private Networks 13-23

Configuring client address pools
Adding or modifying a
server
13-24 Configuring Virtual Private Networks
2. The NBNS/WINS Servers box lists the NBNS and WINS servers that will be
made available to VPN clients that establish a connection using an
address from the client address pool. The following options are
available:
New: Click this button to create a new NBNS/WINS server. See
“Adding or modifying a server” on page 13-24 for details.
Modify: Select a NBNS/WINS server and click Modify to modify an
existing NBNS/WINS server. See “Adding or modifying a server” on
page 13-24 for details.
Delete: Select the NBNS/WINS server and click Delete to delete an
existing NBNS/WINS server.
To add or modify a server entry in the New/Modify DNS or NBNS/
WINS server window, follow the steps below.
1. In the DNS Server or NBNS/WINS field, type or change the IP address that
specifies the location of the DNS or WINS server.
2. Click Add to add the IP address to the server list.
3. Repeat step 1 and step 2 for each additional IP address you want to add.
4. When you are finished adding/modifying IP addresses, click Add.
5. To save changes to the Servers tab, click the Save icon.
Configuring the fixed IP map
To configure the fixed IP map, select VPN Configuration -> Client
Address Pools. Create a new entry or select an existing one, and then
select the Fixed IP Map tab. The following window appears.

Figure 13-2. Client
Address Pools:
Fixed IP Map tab
Configuring client address pools
About the Fixed IP Map tab The Fixed IP Map tab is used to define fixed addresses for selected
clients. It enables each of the specified clients to connect to the
Sidewinder G2 using their own unique IP address. It effectively
reserves a specific IP address for a specified client. The fixed
addresses you specify must be within the range of available IP address
as defined by the client address pools.
Caution: Do not use network or broadcast addresses when mapping IP addresses to
client IDs. These addresses are reserved and are not considered valid values for client
address mappings. For example, if your address range is 192.168.105.0/24, then
192.168.105.0 (the network address) and 192.168.105.255 (the broadcast address) should
not be used in a fixed IP client mapping. The network address is that address whose
masked portion is all 0s, and the broadcast address is that address whose masked portion
is all 1s.
One of the benefits of assigning fixed IP addresses to selected clients
is that it allows you to govern what each client can do. For example,
you might restrict access to certain clients, and you might grant
additional privileges to other clients. You do this by creating a
network object for a selected IP address and then using the network
object within a rule.
The Fixed IP Map tab contains a Fixed IP Client Address Mappings box
that lists the current IP address/client mappings. Each unique IP
address can appear in the table only once. Multiple identities
representing a single client, however, can be mapped to one IP
address. You can add, modify, or delete entries by using one of the
buttons described below.
Configuring Virtual Private Networks 13-25

Configuring client address pools
Adding or modifying fixed
IP entries
13-26 Configuring Virtual Private Networks
New—Click this button to define a new fixed IP client address
mapping. See “Adding or modifying fixed IP entries” on page 13-
26 for details.
Modify—Select an entry and click this button to modify a fixed IP
client address mapping. See “Adding or modifying fixed IP entries”
on page 13-26 for details.
Delete—Select an entry and click this button to delete a fixed IP
client address mapping.
The Fixed IP Map tab allow you to create a client address mapping
entry or to modify an existing entry. Each entry consists of two fields:
an IP address and one or more client IDs. To add or modify a fixed IP
entry, follow the steps below.
1. In the IP Address field, enter the fixed IP address that will be associated
with this mapping. The IP address must be within the virtual subnet for
this pool.
2. Configure the client identification strings for this entry. All entries listed
in the Client Identification Strings box will be mapped to the associated
IP address. Because a client can use one of several different IDs (a
distinguished name, an e-mail address, etc.) when negotiating a session,
you can map multiple IDs to one IP address. However, you cannot map
two separate clients to the same address.
Defining all the possible IDs for a client means you will be ready
regardless of which ID is presented during the negotiation. Note that if
a user will be using Extended Authentication, their user name will
override any other ID. Use the following buttons to configure client
identification strings:
Note: Each client identification string must be entered separately.
New—Click this button to add a new client identifier. See “Adding
or modifying a client identification string” on page 13-27 for
details.
Modify—Click this button to modify an existing client identifier.
See “Adding or modifying a client identification string” on page 13-
27 for details.
Delete—Click this button to delete an existing client identifier.
3. When you have finished configuring the client identification strings,
click Add to add the new pool entry to the list.
Note: Clicking Close without clicking Add first will cancel any changes.

Adding or modifying a
client identification string
Configuring
Certificate
Management
Configuring Certificate Management
To create or modify a client identifier, follow the steps below.
1. Type the new client identifier in the Client ID field. You can type any of
the possible identifiers:
Distinguished name
E-mail address
Domain name
IP address
XAUTH username
Tip: The XAUTH username overrides all other client identification values. If the user
will be using extended authentication, you should only add that user name for fixed
IP mapping.
2. Click Add to add the client ID to the list.
3. To create additional client IDs, repeat step 1 and step 2 for each client ID.
4. Click the Save icon.
If you are using automatic key generation and intend to use
certificates for authentication, you should configure the certificate
and/or Certificate Authority (CA) server information before you set up
the VPN. This eliminates the need to configure certificates and CAs
during the VPN process. To configure certificate or CA information,
follow these general steps.
1. Review the section “Selecting a trusted source” on page 13-31 for
details on certificates and CAs.
2. Decide if you will use a public CA server, your private CA server, or selfsigned
certificates generated by the Sidewinder G2 (which can be used
between two Sidewinder G2s or between a Sidewinder G2 and a VPN
client machine).
3. If you are using a public or private CA server, go to “Configuring and
displaying CA root certificates” on page 13-32. You may also want to
add remote identities to be used in conjunction with a Certificate
Authority policy. See “Configuring and displaying Remote Identities” on
page 13-35.
4. If you are using self-signed certificates, refer to the section titled
“Configuring and displaying firewall certificates” on page 13-37.
Configuring Virtual Private Networks 13-27

Configuring Certificate Management
13-28 Configuring Virtual Private Networks
5. If you are configuring a VPN between the Sidewinder G2 and a machine
running the client version of the Sidewinder G2 VPN solution, and if you
are not using a CA, you must create a remote certificate, export it, then
import the certificate into the VPN client. Refer to the section titled
“Exporting remote or firewall certificates” on page 13-48.
Understanding Distinguished Name syntax
The Certificate Manager supports using distinguished names (DN) for
a number of purposes, including identifying the subject of an X.509
certificate. DNs need to be entered using the proper syntax. As
defined in the X.500 specifications, a DN is an Abstract Syntax
Notation One (ASN.1) value. Within an X.509 certificate, a DN is
represented as a binary value. When it is necessary to represent a DN
in a human–readable format, as when entering information into the
Certificate Manager, the Sidewinder G2 uses the string syntax defined
by RFC 2253. This section summarizes the DN string syntax through a
series of examples.
Note: For more information on this string syntax, visit http://www.ietf.org/rfc.html and
search for RFC 2253, “Lightweight Directory Access Protocol (v3): UTF-8 String
Representation of Distinguished Names.”
A distinguished name (DN) consists of a sequence of identity
components, each composed of a type tag and a value. The
components of a DN are sets of attribute type/value pairs. The
attribute type indicates the type of the item, and the attribute value
holds its contents. Each type/value pair consists of an X.500 attribute
type and attribute value, separated by an equal sign (‘=’). In the
example CN=Jane Smith, “CN” is the attribute type and “Jane Smith”
is the value.
The attribute type/value pairs are separated by commas (‘,’). This
example shows a DN made up of three components:
CN=Jane Smith, OU=Sales, O=Secure Computing
Plan out your organization’s certificate identification needs before
creating any DNs. DNs have a hierarchical structure, reading from
most specific to least specific. No preset hierarchy of attribute type
exists, but the structure for a given organization need to be consistent.
In this example, the organization Secure Computing has
organizational units, making the organizational unit attribute type
more specific than the organization attribute type.
CN=Jane Smith, OU=Sales, O=Secure Computing
CN=Ira Stewart, OU=Engineering, O=Secure Computing

Configuring Certificate Management
An attribute type is specified by a tag string associated with the X.500
attribute being represented. The Sidewinder G2 supports the attribute
tag strings displayed in Table 13-1, which includes the most common
ones recommended by RFC 2253. The tag strings are not case
sensitive.
Table 13-1. Supported X.500 Attribute Type Tags
Tag String
X.500 Attribute
Name
Character String
Type
C CountryName PrintableString 2
CN CommonName DirectoryString 64
Email Address EmailAddress IA5String 128
L LocalityName DirectoryString 128
O OrganizationName DirectoryString 64
OU OrganizationUnitName DirectoryString 64
SN Surname DirectoryString 128
ST StateName DirectoryString 128
Street StreetAddress DirectoryString 128
UID UserID DirectoryString 128
Max. # of
Characters
The attribute value holds the actual content of the identity
information, and is constrained by the associated attribute type. For
the supported attribute types, Table 13-1 shows the corresponding
string type (which limits the allowed set of characters) and its
maximum length. For example, given “CN=Jane Smith” as a name
component, the string “Jane Smith” is of type DirectoryString, and is
constrained to a maximum of 64 characters. The maximum number of
characters allowed in a DN (that is, the number of characters for all
attribute values added together) is 1024.
Table 13-1 defines the allowed character set for each of the character
string types used in Table 13-1.
Configuring Virtual Private Networks 13-29

Configuring Certificate Management
13-30 Configuring Virtual Private Networks
Table 13-1. Character String Types
Character String
Type
Allowed Characters
DirectoryString All 8 bit characters without encoding
All non–8 bit characters with UTF–8 encoding
PrintableString A–Z, a–z, 0–9, ()+-./:=?, comma (‘,’), space (‘ ‘), apostrophe (‘’’)
IA5String All 7 bit characters
When representing attribute values, be careful when using special
characters. The following characters have special meaning in the
string syntax and must be escaped with a backslash character (‘\’):
comma (‘,’)
equal sign (‘=’)
plus sign (‘+’)
less than sign (‘’)
pound sign (‘#’)
semicolon (‘;’)
backslash (‘\’)
quotation (‘”’).
All other printable ASCII characters represent themselves. Non–
printable ASCII must be escaped by preceding the ordinal value of the
character in two-digit hexadecimal with a backslash (for example. the
BEL character, which has an ordinal value of seven, would be
represented by \07). Here are some examples of the escape
conventions:
CN=Jane Smith\,DDS, OU=Sales, O=Secure Computing
CN=\4a\61\6e\65\20Smith, OU=Sales, O=Secure Computing
Attribute values may optionally be contained within double-quote
characters, in which case only the backslash (‘\’), double quote (‘”’),
and non–printable ASCII characters need to be escaped. Here the
double-quotes eliminate the need to escape the CN’s comma:
CN=”Jane Smith,DDS”, OU=Sales, O=Secure Computing
Note: Entries containing backslashes or double–quotes will appear “normalized”
(without extra characters or spaces) in the GUI once they are saved.

Single certificate versus
Certificate Authority
trusted sources
Public versus private
Certificate Authorities
Configuring Certificate Management
Use this supported syntax when entering information on the Admin
Console’s Certificate Manager tabs.
Note: For additional information on DN syntax, see RFCs 2044, 2252, 2253, and 2256.
Selecting a trusted source
If you have decided to use certificate authentication, you must choose
whether to use a single certificate or Certificate Authority root
certificate. In both methods, when a key is generated, the trust point
(the Sidewinder G2 or a trusted CA like Netscape, Baltimore, Entrust,
etc.) places the key in an electronic envelope called an X.509
certificate. Every certificate contains a collection of information about
the entity possessing the private key (the Sidewinder G2 or VPN
client). This information may include an identity, a company name,
and a residency.
Note: If you select Netscape as a CA server, note that only Netscape version 4.2 is
supported at this time.
To validate this information, a certificate must be electronically
verified and witnessed by a trusted source. A CA based trusted source
is best designed for larger deployments and allows for greater
flexibility, as both the root (general authoritative certificate from the
CA) and personal certificates may be retrieved online. However, a CA
configuration does require managing the Certificate Authority server
or paying someone else to manage it for you. A Sidewinder G2 selfsigned
trust source is best for very small deployments, as a separate
security association must be created for each client. Certificates must
be exported from the Sidewinder G2 and then installed on each client.
If you are planning to use a specific Certificate Authority to validate
certificates created on the Sidewinder G2, or as part of a group of
trusted CAs from which Sidewinder G2 can directly import certificates,
you should set up these CAs before you begin configuring a VPN. You
can use the following types of CA servers:
Configuring Virtual Private Networks 13-31

Configuring Certificate Management
Figure 13-7.
Certificate Management:
Certificate Authorities
tab
13-32 Configuring Virtual Private Networks
a private CA server — You can purchase and install your own CA
server and configure this server as the trusted authority for any
VPNs you establish. This is an ideal solution for companies that
prefer to only allow VPNs with certificates signed by a CA server
on their own protected network.
Note: Before you begin, you must install the CA server and make its URL accessible
to the Sidewinder G2. For details on installing and configuring a private CA server,
review the manufacturer’s documentation.
a public CA server — you can choose to accept certificates signed by
trusted CAs administered elsewhere. This option allows remote
machines to use one certificate for VPNs with more than one
corporate partner.
Configuring and displaying CA root certificates
This section explains how to configure the Certificate Authorities tab
and display the imported signed root certificate.
In the Admin Console, select Services Configuration -> Certificate
Management, then click the Certificate Authorities tab. The following
window appears.

About the Certificate
Authorities tab
Adding a Certificate
Authority
Configuring Certificate Management
The Certificate Authorities tab allows you to view the list of available
certificate authorities (CAs). CAs are used to validate (sign) certificates
that are used in a VPN connection. To display the properties of a
specific certificate, select the certificate from within the Cert Authorities
list. Its properties are displayed on the right portion of the window.
For a description of these properties, see “Adding a Certificate
Authority” on page 13-33.
From this tab, you can perform the following actions:
Add a new certificate to the list—Click New and see “Adding a
Certificate Authority” on page 13-33 for details.
Delete a certificate from the list—Highlight the certificate you want to
delete and click Delete.
Note: A Certificate Authority cannot be deleted if it is currently being used by one or
more Security Associations (the Delete button is disabled).
Retrieve a certificate—Click Get CA Cert to query the CA and import a
certificate for the selected CA. The selected CA must be either
Netscape 4.2 or an SCEP CA.
Export a certificate—Click Export to export a CA certificate from
local cache to a file and/or a screen.
Retrieve a CRL—Click Get CRL to manually retrieve a new Certificate
Revocation List (CRL) for this CA. A CRL identifies certificates that
have been revoked. CRLs expire on a regular basis, which is why
you must periodically obtain a new CRL. You generally only need
to manually get a CRL for Netscape CAs when the CA is initially
added. After that CRLs are automatically updated every 15 minutes
or so for Netscape CAs.
Note: If you do not have access to either a Netscape CA or have access to an LDAP
directory, you should disable the Perform CRL Checking button on the Certificate
Server window.
The New Certificate Authority window enables you to add a new
Certificate Authority to the list of CAs used when authorizing
certificates in a Sidewinder G2 VPN connection. To add a new
Certificate Authority, follow the steps below.
1. In the CA Name field, type a name for this certificate authority. Only
alphanumeric characters are accepted in this field.
Configuring Virtual Private Networks 13-33

Configuring Certificate Management
13-34 Configuring Virtual Private Networks
2. In the Type drop-down list, select the type of CA used by your location.
Valid options are:
Manual—Indicates the necessary files are obtained and loaded by
an administrator rather than by a CA.
Netscape 4.2—Indicates that a Netscape version 4.2 CA is being
defined.
SCEP (Simple Certificate Enrollment Protocol)—Indicates the CA
being defined supports this widely-used certificate enrollment
protocol. The CA can be of any type (Netscape 4.2, Baltimore,
Entrust, VeriSign, etc.) as long as it supports SCEP.
3. [Conditional] In the File field, type the name and location of the root
certificate for the CA, or click Browse to browse your network directories
for the location of the root certificate. The root certificate is used to
verify certificates issued by this CA. (This field is available only if you
select Manual in the Type field.)
Note: Valid file formats are .pem and .der. For information on obtaining a root
certificate, see the documentation that accompanied the CA.
4. [Conditional] In the URL field, type the URL address of the Netscape CA
in the URL field. Certificates that need to be signed by the CA are sent to
this address. (This field is available only if you select Netscape or SCEP in
the Type field.)
5. [Optional] In the CA Id field, type the value used to identify this specific
CA. Check with your CA administrator to determine the identifier to use.
Many administrators use the fully-qualified domain name of the CA as
the identifier. (This field is available only if you select SCEP in the Type
field.)
6. Click Add to add the CA to the Certificate Authority list. To define
another certificate authority, repeat step 1–step 5.
7. Click the Save icon.

Figure 13-8.
Remote Identities tab
About the Remote
Identities tab
Configuring Certificate Management
Configuring and displaying Remote Identities
Remote Identities can be created for two purposes. If you choose to
have a Certificate Authority policy defined for a VPN (whereby a
group of trusted CAs is authorized to issue certificates for access to the
VPN), you will also require a list of Remote Identities. Remote
Identities are used as part of a Security Association to determine
which remote certificates from a CA may be used to authenticate to a
VPN. You may also be required to configure a remote identity to be
used in a Security Association for a software client, such as the
SafeNet SoftRemote client, using pre-shared passwords.
In the Admin Console, select Services Configuration -> Certificate
Management, then select the Remote Identities tab. The following
window appears.
In this tab you can view and modify the list of available remote
identities. Remote identities are used to identify the authorized users
who take part in a Security Association and either have been issued a
certificate from a particular CA or use a VPN client configured with a
pre-shared password. For example, as part of a remote identity you
might define a Distinguished Name that authorizes only people from
the Sales department of Bizco corporation.
In this tab, you can perform the following actions:
Configuring Virtual Private Networks 13-35

Configuring Certificate Management
Adding or modifying a
Remote Identity
13-36 Configuring Virtual Private Networks
To display the properties of a specific identity, select the identity
from within the list. Its properties are displayed on the right
portion of the window.
To modify an identity, make the desired changes and click the Save
icon. For specific information on modifying the properties that
appear for a remote identity, see “Adding or modifying a Remote
Identity” on page 13-36.
To create a new remote identity, click New, and see “Adding or
modifying a Remote Identity” on page 13-36 for details.
To delete an existing identity, highlight the identity you want to
delete and click Delete.
The Create New Remote Identity window enables you to add a new
remote identity. You can also modify an existing remote identity
within the Remote Identities tab. To add or modify a remote identity,
follow the steps below.
Tip: An asterisk can be used as a wildcard when defining the fields on this window. (Other
special characters are not allowed.) For example; *, O=bizco, C=us represents all users at
Bizco.
1. In the Identity Name field, type a name for this Remote Identity.
2. In the Distinguished Name field, create a distinguished name. See
“Understanding Distinguished Name syntax” on page 13-28 for
information on the format that should be used.
Note: The order of the specified distinguished name fields must match the order
listed in the certificate.
3. [Optional] In the E-Mail Address field, enter the e-mail address(es) to
which you want to restrict access. Enter one e-mail address per identity
or use a wildcard to indicate all e-mail addresses, such as *@bizco.net.
4. [Optional] In the Domain Name field, type the specific domain name to
which you want to restrict access. Enter one domain name per identity
or use a wildcard to indicate all domain names, such as *.bizco.net.
5. [Optional] In the IP Address field, type the unique IP address or group of
IP addresses to which you want to restrict access. For example:
182.19.0.0/16 indicates that only users with IP addresses beginning with
182.19 (as contained in the certificate) will be authorized to use the VPN.
6. Click Add to add the identity to the Identities list.
7. To define additional remote IDs, repeat step 1–step 6.
8. Click the Save icon.

Figure 13-9.
Firewall certificates
About the Firewall
Certificates tab
Configuring Certificate Management
Configuring and displaying firewall certificates
A firewall certificate is used to identify the Sidewinder G2 to a
potential peer in a VPN connection. When creating a certificate for the
Sidewinder G2, you have the option to submit the certificate to a CA
for validation, or have the Sidewinder G2 generate a self-signed
certificate. You should create these certificates before you begin
configuring a VPN.
Note: CA-signed certificates may be used as the firewall certificate for SSL termination. To
do so, you must import the root and/or intermediate certificates in the certificate chain for
the given CA-signed certificate (not the chain). If the browser does not have the
intermediate/root certificates loaded, a security warning or error will appear indicating
that the CA-signed certificate presented by Sidewinder G2 is not trusted. You can import
the intermediate/root CA certificate using the Certificates Authorities tab in the Certificate
Management window.
In the Admin Console, select Services Configuration -> Certificate
Management, then select the Firewall Certificates tab. The following
window appears.
The Firewall Certificates tab enables you to view the list of available
certificates. The Sidewinder G2 will use a firewall certificate to identify
itself to a peer in a VPN connection. To display the properties of a
specific certificate, select the certificate from within the list and its
properties are displayed on the right portion of the window. For a
description of these properties, see “Adding a firewall certificate” on
page 13-38.
Configuring Virtual Private Networks 13-37

Configuring Certificate Management
13-38 Configuring Virtual Private Networks
From this tab, you can perform the following actions:
Note: You cannot modify the properties of a certificate from this window. To modify a
certificate you must delete it and then add it back using the new properties.
Add a firewall certificate—Click New to add a certificate to the
Certificate list. See “Adding a firewall certificate” on page 13-38 for
details.
Delete a firewall certificate—Highlight the certificate and click Delete
to remove the selected certificate from the Certificate list.
Note: A certificate cannot be deleted if it is currently used by one or more areas (for
example, Security Associations, Application Defenses, etc.).
Import a firewall certificate—Click Import to import an existing
certificate and its related private key file. See “Importing a firewall
certificate” on page 13-46 for more information.
Export a firewall certificate—Click Export to export the selected
certificate to a file. The export function is generally used when
capturing the certificate information needed by a remote partner
such as a VPN client. See “Exporting remote or firewall certificates”
on page 13-48 for more details.
Retrieve a certificate—If a certificate request has been submitted to
be signed by a CA, click the Query button to query the CA to see if
the certificate is approved. If yes, the Status field will change to
SIGNED and the approved certificate will be retrieved.
If the certificate request is Manual PKCS10, click the Load button to
load the signed certificate from a file supplied by the CA.
Note: By default, Netscape CAs and CAs that support the Simple Certificate Enrollment
Protocol (SCEP) are checked every 15 minutes for any certificates waiting to be signed.
Adding a firewall certificate The Create New Firewall Certificate window enables you to add a
certificate to the Firewall Certificate list. To add a certificate, follow the
steps below.
Note: The default certificate key size is 1024 bits. The default lifetime for self-signed
certificates created on the Sidewinder G2 is five years.
1. In the Certificate Name field, type a name for this certificate.
2. In the Distinguished Name field, create a distinguished name. See
“Understanding Distinguished Name syntax” on page 13-28 for
information on the format that should be used.
Note: The order of the specified distinguished name fields must match the order
listed in the certificate.

Configuring Certificate Management
Note: Some CAs will not support the optional identity types specified in step 3
through step 5.
3. [Optional] In the E-Mail Address field, type the email address associated
with this firewall certificate.
4. [Optional] In the Domain Name field, type the domain name associated
with this firewall certificate.
5. [Optional] In the IP Address field, type the IP address associated with this
firewall certificate.
6. In the Submit to CA drop-down list, select the enrollment method to
which the certificate will be submitted for signing. The valid options are:
Self Signed—Indicates the new certificate will be signed by the
firewall rather than by a CA.
Manual PKCS10—Indicates the certificate enrollment request will
be placed in a PKCS10 envelope and exported to the file
designated in the Generated PKCS10 File field.
The name of the CA to which the certificate is submitted for
signing. The CA can be either private (one you own and manage)
or it can be public (a trusted CA administered elsewhere).
7. In the Signature Type field, select the encryption format that will be
used when signing the certificate. Valid options are RSA or DSA.
8. [Conditional] Depending on the method you select in the Submit to CA
field, the Other Parameters area may contain additional fields, as
described below:
If you selected Manual PKCS10 in the Submit to CA field, the
Generated PKCS10 File field appears. Specify the name and location
of the file that will contain the signed certificate, or click Browse to
browse the network directories for the location of the file you want
to specify. This file contains a PKCS10 "envelope" that is used to
send a certificate to a CA for signing.
If you selected a method that uses SCEP, you will need to provide a
password in the SCEP Password field that appears.
9. [Conditional] In the Format field, select the appropriate format for your
PKCS10 certificate request.
10. Click Add to add the certificate to the Certificates list. To define
additional certificates repeat step 1 through step 9.
11. Click the Save icon.
Configuring Virtual Private Networks 13-39

Configuring Certificate Management
Figure 13-10.
Remote certificates
defined on the
Sidewinder G2
About the Remote
Certificates tab
13-40 Configuring Virtual Private Networks
Configuring and displaying remote certificates
A remote certificate identifies one or more peers that can be involved
in a VPN connection with a Sidewinder G2. The Sidewinder G2 can
import existing certificates into its Remote Certificates database, or it
can create new remote certificates. In either case, all certificates
should be in place before you begin configuring a VPN.
In the Admin Console, select Services Configuration -> Certificate
Management, then select the Remote Certificates tab. The following
window appears.
The Remote Certificates tab enables you to view the list of available
remote certificates. These certificates represent the potential peers
with which Sidewinder G2 can establish a VPN connection. To display
the properties of a specific certificate, select the certificate from within
the list. Its properties are displayed on the right portion of the
window. For a description of these properties, see “Adding a remote
certificate”.
Note: You cannot modify the properties of a certificate from this window. To modify a
certificate you must delete it and then add it back using the new properties.

Configuring Certificate Management
From this window, you can perform the following actions:
Add a new certificate to the Certificate list—Click New and see “Adding
a remote certificate” on page 13-41 for details.
Delete a certificate from the list—Highlight the certificate you want to
delete and click Delete.
Import certificates—Click Import and see “Importing a remote
certificate” on page 13-47.
Export certificates—Click Export and see “Exporting remote or
firewall certificates” on page 13-48.
Query the CA for Certificate status—If a certificate request has been
submitted to be signed by a CA, click the Query button to query
the CA to see if the certificate is approved. If yes, the Status field
will change to SIGNED and the approved certificate will be
retrieved.
If the certificate request is Manual PKCS10, click the Load button to
query and retrieve the signed certificate.
Note: By default, Netscape CAs and CAs that support the Simple Certificate Enrollment
Protocol (SCEP) are checked every 15 minutes for any certificates waiting to be signed.
Adding a remote certificate The Create New Remote Certificate window enables you to add a
certificate to the Remote Certificate list. To add a remote certificate,
follow the steps below.
Note: The default certificate key size is 1024 bits. The default lifetime for self-signed
certificates created on the Sidewinder G2 is five years.
1. In the Certificate Name field, type a name for this certificate.
2. In the Distinguished Name field, create a distinguished name. See
“Understanding Distinguished Name syntax” on page 13-28 for
information on the format that should be used.
Note: The order of the specified distinguished name fields must match the order
listed in the certificate.
Note: Some CAs will not support the optional identity types specified in step 3
through step 5.
3. [Optional] In the E-Mail Address field, type the email address associated
with this remote certificate.
4. [Optional] In the Domain Name field, type the domain name associated
with this remote certificate.
Configuring Virtual Private Networks 13-41

Configuring Certificate Management
13-42 Configuring Virtual Private Networks
5. [Optional] In the IP Address field, type the IP address associated with this
remote certificate.
6. In the Submit to CA drop-down list, select the enrollment method to
which the certificate will be submitted for signing. The valid options are:
Self Signed: Indicates the new certificate will be signed by the
Sidewinder G2 rather than by a CA.
Manual PKCS10: Indicates the certificate enrollment request will be
placed in a PKCS10 envelope and exported to the file designated
in the Generated PKCS10 File field.
The name of the CA to which the certificate is submitted for
signing. The CA can be either private (one you own and manage)
or it can be public (a trusted CA administered elsewhere).
Note: The CA option is only available if a CA is already configured on the Certificate
Authorities tab.
7. In the Signature Type box, select the encryption format that will be used
when signing the certificate. Valid options are RSA or DSA.
8. [Conditional] In the Generated PKCS10 File field, specify the name and
location of the file that will contain the signature request, or click
Browse to browse the network directories for the file location.
This file contains a PKCS10 “envelope” that is used to send a certificate
to a CA for signing. This field is available only if Manual PKCS10 is
specified in the Submit to CA field.
Note: To create a new file using the Browse button, enter the name and extension
(allowed file formats are binary or .pem).
9. [Conditional] In the Format field, select the appropriate format for your
PKCS10 certificate request.
10. [Conditional] In the SCEP Password field, type a password for this
certificate. You will need this password if you ever need the CA to
revoke this certificate. The password may not contain spaces or single
quotes. This field is available only if the Submit to CA field displays a CA
of type SCEP.
11. Click Add to add the certificate to the Certificates list.
12. To define additional certificates, repeat step 1–11 for each certificate
you want to add.
13. Click the Save icon.

Figure 13-11. SSL
Certificates tab
Configuring Certificate Management
Assigning new certificates for Admin Console and
synchronization services
The default SSL certificates are unique to each Sidewinder G2.
However, if you would like to change your default certificate for any
reason, follow the steps in this section.
Note: Keep in mind, it is the certificates on the Sidewinder G2 end that you are changing,
not on the client end.
Before assigning a new certificate to these services you must first
create the new certificates. You should create two new certificates,
one for the Admin Console service and one for the synchronization
server. You create the certificates from the Firewall Certificates tab. Each
certificate must be:
a firewall certificate
a self-signed certificate
of type RSA
See “Configuring and displaying firewall certificates” on page 13-37
for information on creating a firewall certificate.
To assign a new certificate for the Admin Console or the
synchronization server, in the Admin Console, select Services
Configuration -> Certificate Management, then select the SSL Certificates
tab.
Configuring Virtual Private Networks 13-43

Importing and exporting certificates
Configuring the SSL Cert
tab
Selecting a new proxy
certificate
Importing and
exporting
certificates
13-44 Configuring Virtual Private Networks
This tab is used to assign a new SSL certificate to the Admin Console
service (cobra) or the synchronization server (synchronization).
The SSL Certificate tab allows you to view the proxies to which you
can assign new certificates and identifies the name of the certificate
currently assigned to each proxy. The certificate will either be 1) the
default certificate or 2) a self-signed, RSA firewall certificate that is
defined on the Firewall Certificates tab.
To assign a new certificate to a selected proxy, click Modify. See
“Selecting a new proxy certificate” on page 13-44 for details.
Note: You will receive a warning message if you click Modify and there is not at
least one self-signed RSA firewall certificate currently defined on the Sidewinder G2.
See “Configuring and displaying firewall certificates” on page 13-37 for information
on defining this type of certificate.
The Proxy Certificate Selection window is used to assign a new
certificate to the selected proxy. To assign a certificate to a proxy,
follow the steps below.
1. In the Certificate drop-down list, select the new certificate to assign to
this proxy (the proxy name is displayed in the Proxy Name field). Only
self-signed, RSA firewall certificates that are defined on the Firewall
Certificate tab are displayed in this list.
2. Click OK to save the change and to exit the window, or click Cancel to
exit the window without saving the change.
3. Click the Save icon.
Once the certificates have been generated, they need to be exported
and transferred to a VPN client such as SafeNet SoftRemote or to
another Sidewinder G2. Similarly, you may want to import certificates
into the Sidewinder G2 originally created on another system. This
section walks you through importing and exporting certificates on the
Sidewinder G2.
Loading manual remote or firewall certificates
If you chose to create a manual certificate, you must retrieve the
certificate after it is signed by the CA; the Sidewinder G2 will not
retrieve it automatically. For this process, the Load button appears
when an unsigned requested certificate name is highlighted. Clicking
this button will initiate the process to retrieve and import the
certificate. After clicking Load, the following window appears.

Figure 13-3. Load
Certificate for PKCS 10
Request window
About the Load Certificate
for PKCS 10 Request
window
Importing and exporting certificates
The Load Certificate for PKCS 10 Request window is used to load
signed certificates. It also functions to query an LDAP server for
wether or not a requested certificated is signed. To load a signed
certificate, follow the steps below.
1. In the Certificate Source field, select the source location of the
certificate. The following options are available:
File: Indicates you will manually specify the location of the
certificate.
LDAP: Indicates you will access the services of an LDAP
(Lightweight Directory Access Protocol) directory to locate the
certificate. The LDAP server can be version 2 or version 3.
Pasted PEM Certificate: Indicates you will paste or type in the
certificate from another source, such as another open application
window or personal communication.
2. [Conditional] In the Certificate from File field, if the certificate source is a
file, type the location or Browse to the location.
3. [Conditional] In the Manual (pasted) PEM Certificate field, if the
certificate source is a Pasted PEM Certificate, type or paste the certificate
in this field.
4. Click OK to issue a query command for your requested certificate, or
click Cancel cancel the certificate request.
If you click OK and the certificate is available, it will automatically be
imported and the status will change to SIGNED.
5. Click the Save icon.
Configuring Virtual Private Networks 13-45

Importing and exporting certificates
Figure 13-12. Import
Firewall Certificate
window
Configuring the Import
Firewall Certificate window
13-46 Configuring Virtual Private Networks
Importing a firewall certificate
You can import a certificate to the list of firewall certificates defined
on the Sidewinder G2.
To import a firewall certificate, in the Admin Console, select Services
Configuration -> Certificate Management, then select the Firewall
Certificates tab and click Import. The following window appears.
Note: The displayed fields will vary slightly, depending on the which import source you
select.
The Import Firewall Certificate window is used to import a certificate
to the Firewall Certificates list. To import a certificate, follow the steps
below.
1. In the Import Source field, select either File or Encrypted FIle (PKCS12).
Note: The fields that are available will vary based on the import source you select.
If you select File, you must identify the file on the Import Certificate
From File field.
If you select Encrypted FIle (PKCS12), specify the certificate and key
file.
2. In the Certificate Name field, type a local name for the certificate you are
importing.

Figure 13-13. Import
Remote Certificate
window
Configuring the Import
Remote Certificate window
Importing and exporting certificates
3. In the Import Certificate From File or the Import Certificate/Key field,
type the name and location of the certificate file you will import. You
may also click Browse to browse the network directories for the location
of the file(s) you want to specify.
4. [Conditional] In the Private Key File field, type the name and location of
the private key file associated with this certificate, or click Browse to
browse the network directories for the location of the file(s) you want to
specify. The file can be in either PK1 or PK8 format. (This field is only
available if the Import Source field displays File.)
5. [Conditional] In the Password field, enter the password to decrypt the
imported file. This password must match the password given when the
file was encrypted. (This field is only available if the Import Source field
displays Encrypted File(PKCS12).)
Importing a remote certificate
To import a certificate to the list of remote certificates defined on the
Sidewinder G2, using the Admin Console select Services Configuration -
> Certificate Management, then select the Remote Certificates tab and
click Import. The following window appears.
The Import Remote Certificate window is used to import a certificate
to the Remote Certificates list. To import a remote certificate, follow
the steps below.
Configuring Virtual Private Networks 13-47

Importing and exporting certificates
13-48 Configuring Virtual Private Networks
1. In the Import source field, select the source location of the certificate.
File: Indicates you will manually specify the location of the
certificate file.
Encrypted File: Indicates you will manually specify the locations of
the certificate and private key file.
LDAP: Indicates that you will access the services of an LDAP
(Lightweight Directory Access Protocol) directory to locate the
certificate. The LDAP server can be version 2 or version 3.
Paste PEM Certificate: Indicates you will import the certificate by
performing a cut and paste. The Distinguished Name field will
change to become the Manual (pasted) PEM Certificate field. Paste
the certificate into this area.
2. In the Certificate Name field, type a local name for the certificate you are
importing.
3. [Conditional] In the Import Certificate From File field, type the name and
location of the certificate file you will import, or click Browse to browse
the network directories for the location. (This field is available only if the
Import source field displays File.)
4. [Conditional] In the Password field, enter the password to decrypt the
imported file. This password must match the password given when the
file was encrypted. (This field is only available if the Import Source field
displays Encrypted File.)
5. [Conditional] In the Distinguished Name field, create a distinguished
name. See “Understanding Distinguished Name syntax” on page 13-28
for information on the format that should be used.
Note: The order of the specified distinguished name fields must match the order
listed in the certificate.
6. Click OK to import the remote certificate, or click Cancel to cancel the
request.
7. Click the Save icon.
Exporting remote or firewall certificates
You can export certificates from either the Remote Certificates tab or
the Firewall Certificates tab. The procedure you use is very simple and
is the same from either tab. The reasons you export a certificate from
one tab rather than the other, however, are quite different, as
described below.

Figure 13-14. Export
Firewall Certificate
window
Configuring the Export
Certificate window
Importing and exporting certificates
Exporting a Remote Certificate—You are most likely to export a
remote certificate if users in your organization use a VPN client to
establish a VPN connection between their laptops or desktop PCs
and the Sidewinder G2. The VPN client requires the use of a
certificate to identify itself during the VPN connection negotiations.
It is possible to use the Sidewinder G2 to create a self-signed
certificate for the VPN client. Once it is created it may be
converted to a new file format and then exported. From there it is
imported to the VPN client program.
Exporting a Firewall Certificate—This is used to export the firewall
certificate to a remote peer. This allows the remote peer to
recognize the Sidewinder G2. On the remote peer the firewall
certificate is imported as a remote certificate.
To export a certificate, in the Admin Console, select Services
Configuration -> Certificate Management, then select either the Remote
Certificates tab or the Firewall Certificates tab. Select the certificate you
wish to export and click Export. The following window appears.
Note: The tab you select depends upon your reason for exporting the certificate. See the
explanation in the previous paragraphs.
The Export Certificate window allows you to export the selected
certificate from the Sidewinder G2 to a separate file and/or to the
screen. The certificate can be written to a file on the hard drive of a
workstation, or it can be written to a transportable medium such as a
floppy diskette or an zip disk. You can export only the certificate, or
both the certificate and the private key.
Configuring Virtual Private Networks 13-49

Importing and exporting certificates
13-50 Configuring Virtual Private Networks
Exporting only the certificate
To export a certificate only, follow the steps below.
1. Select the Export Certificate (Typical) radio button.
2. Select the export destination:
Export Certificate To File—To export the certificate to a file, select
this option and proceed to step 3.
Export Certificate To Screen—Select this option to export the
certificate to the screen.
3. [Conditional] If you are exporting the certificate to file, do the following:
In the File field, type the name and location of the file to which the
client (or firewall) certificate will be written. If you want to
overwrite an existing file, but you are not certain of the path name
or the file name, click Browse.
In the Format field, select the appropriate format for the file.
4. Click OK to export the certificate to the desired location.
Exporting both the certificate and private key
To export both a certificate and private key, follow the steps below.
1. Specify whether the certificate and private key will be exported as one
file or two files by selecting one of the following options:
Export Certificate and Private Key as one file (PKCS12)—Select this
option to export both the certificate and private key as a single file,
and proceed to
Export Certificate and Private Key as two files (PKCS1, PKCS8,
X.509)—Select this option to export the certificate and private key
as two separate files.
2. [Conditional] To export the certificate and private key as a single file, do
the following:
a. In the File field, type the name and location of the file to which the
client (or firewall) certificate will be written. If you want to overwrite
an existing file but you are not certain of the path name or the file
name, click Browse. (The Format displays the file format.)
b. In the Password field, enter the password that will be used to
encrypt the certificate file.

Configuring VPN
Security
Associations
Configuring VPN Security Associations
c. In the Confirm Password field, re-enter the password that your
entered in the Password field.
d. Click OK to export the certificate and private key as a single file.
3. [Conditional] To export the certificate and private key as two separate
files, do the following:
a. In the Certificate File field, type the name and location of the file to
which the client or firewall certificate will be written. If you want to
overwrite an existing file but you are not certain of the path name or
the file name, click Browse. In the Format field, select the appropriate
format for the file.
b. In the Private Key File field, type the name and location of the file to
which the key will be written. If you want to overwrite an existing
file but you are not certain of the path name or the file name, click
Browse. In the Format field, select the appropriate format for the file.
Important: If you use a transportable medium to store the private key file (for
example .pk1, .pk8, or pk12), the medium should be destroyed or reformatted
after the private key information has been imported to the appropriate VPN
client.
c. Click OK to export the certificate and private key as separate files.
To configure a new VPN, you must perform the following steps:
1. Choose whether the VPN is connecting to a single machine or a
gateway that provides access for multiple machines.
2. Determine whether the IP address the VPN is connecting to is always
the same (static) or whether it changes (dynamic). If it is static, you must
provide the IP address of the machine.
Important: The remote end can only be dynamic if automatic key management is
chosen.
Configuring Virtual Private Networks 13-51

Configuring VPN Security Associations
Figure 13-15.
VPNs defined on
Sidewinder G2
About the Security
Associations window
13-52 Configuring Virtual Private Networks
3. Decide if you want to automatically manage the exchange and use of
keys (using IKE) or if you want to enter the session key manually at the
remote end.
For automatic key exchange, you must decide on the type of
authentication (either password or certificate) to be used between
the Sidewinder G2 and the remote end.
For manual key exchange, you must decide on the type of
authentication and encryption used between the Sidewinder G2
and the remote end and exchange these keys and Security
Parameters Index (SPI) values with the remote end via a secure
method (diskette, encrypted e-mail or telephone). You are also
required to provide the authentication and encryption keys
provided by the remote end.
Displaying and configuring a VPN Security Association
This section explains how to display and configure VPN associations.
In the Admin Console, select VPN Configuration -> Security Associations.
The following window appears.
You use the Security Associations window to view the current list of
VPN associations currently defined on the Sidewinder G2 and check
the status of VPNs. You can also add, modify, or delete VPN
associations.
To add or modify a VPN association, click Add or Modify and see
“Defining a VPN Security Association” on page 13-53 for details.

Figure 13-16. Security
Associations: Active
VPNs window
About the Active VPNs
window
Configuring VPN Security Associations
To delete a VPN association, select the VPN association you want to
delete, and click Delete.
To display which VPNs have active sessions, click Current VPN Status.
The Security Associations: Active VPNs window appears.
This window allows you to view the status of all configured VPNs.
The various statuses include:
Idle—No active session.
Active—One or more VPNs have active sessions established for this
VPN.
To update the information displayed, click Refresh. Click Close to
return to the main Security Association window.
Defining a VPN Security Association
When you click New or Modify from the Security Associations window,
the VPN Properties window appears. This window is used to add or
modify VPN associations. The window contains four tabs that are
used to enter distinct information about a VPN association.
Configuring Virtual Private Networks 13-53

Configuring VPN Security Associations
Figure 13-17. General
tab on the VPN
Properties window
13-54 Configuring Virtual Private Networks
Configuring the General tab
The General tab is used to enter basic information about the VPN
association. To configure the General tab, follow the steps below.
1. In the Name field, type the name of this VPN.
2. In the Enabled field, select Yes to enable this VPN association, or select
No to disable it.
3. In the Encapsulation field, select one of the following:
Tunnel—The more popular form of VPN encapsulation. Both the
data and the source and destination IP addresses are encrypted
within the encapsulated payload.
Transport—The native form of VPN. Transport mode encrypts the
data but the source and destination IP addresses are not
concealed.
See “Transport mode vs. tunnel mode” on page 13-6 for a more detailed
explanation of these terms.
4. In the Burb drop-down list, select the burb to which you want to assign
this VPN. The Sidewinder G2 terminates each VPN in a burb so that
access rules may be applied to the VPN.

Configuring VPN Security Associations
5. In the Mode field, specify how the remote end is operating. The valid
options are:
Fixed IP—Select this option if the IP address of the remote end is
always the same. You must also provide the IP address of the
remote end in the Remote IP field.
Dynamic IP Client—Select this option if the remote end is a device
whose IP address is not fixed. Example: A salesperson that gains
Internet access from a laptop.
Dynamic IP Restricted Client—Select this option if the remote end
is a device whose IP address is not fixed. Example: A salesperson
that gains Internet access from a laptop. The difference between
this option and Dynamic IP Client is that the remote end is assigned
a virtual IP address from a range specified by using either a Client
Address Pool or a range of acceptable external IP addresses. You
restrict the range of IP addresses available to the remote end by
using either the Client Address Pool field or the Dynamic Virtual
Address Range field.
Important: You can only use Dynamic IP Client or Dynamic IP Restricted Client if
automatic key management is used.
6. [Conditional] Determine if you want remote clients to make
connections using only the IP addresses contained within one of the
available client address pools. If so, use the Client Address Pool dropdown
list arrow to select the client address pool you want to use. With
this option, the Sidewinder G2 selects an IP address from the available
pool and assigns it to the client. (This field is available only if you select
Fixed IP or Dynamic IP Restricted Client in the Mode field.)
Important: See “Configuring client address pools” on page 13-18 for information
on creating a client address pool.
7. In the Local IP field, select one of the following:
Use Localhost IP—Select this option to use the default localhost IP
address.
Specify IP—Select this option to configure a specific IP address. In
the corresponding field, enter the IP address.
8. To add or modify a local network address to the Local Network/IP list (a
list of network names or IP addresses the Sidewinder G2 can use in a
VPN association), click New or Modify, respectively. See “Adding or
modifying an IP address” for details.
9. [Conditional] In the Remote IP field, type the IP address of the remote
client. This field is available only if you select Fixed IP in the Mode field.
Configuring Virtual Private Networks 13-55

Configuring VPN Security Associations
Adding or modifying
an IP address
13-56 Configuring Virtual Private Networks
10. [Conditional] If you selected Fixed IP in the Mode field, to add or modify
an entry to the Remote Network / IP list, click New or Modify,
respectively. This lists the IP addresses with which a VPN association can
be made. The addresses specified here typically represent a real
network located behind the client’s Sidewinder G2. See “Adding or
modifying an IP address” for details.
11. [Conditional] If you selected Dynamic IP Restricted Client in the Mode
field, to add or modify an entry to the Dynamic Virtual Address Range
list, click New or Modify, respectively. This list defines the range of
addresses a client can use when initiating a VPN connection. The
addresses specified here do not represent a real network but are virtual
addresses. With this option the client assigns their own IP address,
although the address must be within the approved address range.
12. [Optional] In the Comments field, type a short description for this VPN
association.
Note: You must input information from the Authentication tab before you can save this
Security Association entry. See “Configuring password information on the Authentication
tab” on page 13-57 for instructions.
The Local Network List window is used to define the range of IP
addresses that can be used in a VPN association. To add or modify an
IP address, follow the steps below.
1. In the IP Address field, type the IP address used in this VPN association.
2. In the Number of bits in Netmask field, use the up/down arrows to select
the number of bits that are significant in the network mask. The value
specified is used to identify the network portion of the IP address.
3. Click Add to add the IP address, and then click Close. To exit the window
without adding the IP address, click Close without clicking Add.
Entering information on the Authentication tab
To prevent access to the VPN from Internet hosts masquerading as the
VPN peer, various means of authenticating the peer are available. The
Authentication tab defines the authentication method that will be used
in this VPN association. It also defines the characteristics of the
selected authentication method. You can select four different
methods:

Configuring password
information on the
Authentication tab
Configuring VPN Security Associations
Password—Select this option if you and the remote end want to use
a password to verify the key exchange. The same password must
be used on both ends of this association. See “Configuring
password information on the Authentication tab” on page 13-57 for
detailed information.
Certificate + Certificate Authority—Select this option if you want to
use one or more trusted CAs and Remote Identities to validate the
certificate of the remote end. This method is commonly used by
organizations that have many remote users who must access
resources behind the Sidewinder G2. See “Entering Certificate +
Certificate Authority information on the Authentication tab” on
page 13-59 for detailed information.
Single certificate—Select this option if you want to validate the
remote end using a self-signed certificate generated by the
Sidewinder G2, or using a certificate generated by a CA server.
This method is commonly used by organizations that have a small
number of people that travel but need secure access to your
network. See “Entering Single Certificate information on the
Authentication tab” on page 13-61 for detailed information.
Manual—Select this option if you want to exchange session keys
manually (for example over the phone). See “Entering Manual
information on the Authentication tab” on page 13-62 for detailed
information.
The first three methods are automatic methods, meaning the session
keys are managed automatically between the Sidewinder G2 and the
remote end. The ISAKMP server must be enabled on the Sidewinder
G2 in order to automatically generate and exchange session keys. See
“Configuring the ISAKMP server” on page 13-11 for information. The
remote end of the VPN must also support ISAKMP.
With the manual method, matching session keys must be entered
manually at the Sidewinder G2 remote end. Each of these
authentication methods are described in the following sections.
The password information tabs in the Authentication window are
used to define password authentication for this VPN association. The
password is used to authenticate both peers in a potential VPN
association. To configure password information, follow the steps
below.
Note: Password-based authentication should only be used with fixed IP-configured VPN
or with extended authentication.
Configuring Virtual Private Networks 13-57

Configuring VPN Security Associations
13-58 Configuring Virtual Private Networks
On the General sub-tab
1. In the Enter Password field, type the password to be used each time
automatic key exchange takes place.
2. In the Verify Password field, confirm the password in the field provided.
3. [Conditional] Select the Require Extended Authentication check box if
you want to use Extended Authentication. This check box is available
only if an authentication method is configured for the ISAKMP server.
See “Extended Authentication for VPN” on page 13-8 for more
information on extended authentication.
On the Identities sub-tab
The Identities sub-tab is used to define unique identities for the
following:
Firewall Identity is included in the response to the remote client and
confirms to the client that it has established a VPN association with
the correct endpoint.
Remote Identity is used to match a client identity with a particular
security association; the Sidewinder G2 can then use this
information to determine the password the client should be using.
The remote identity is optional for Fixed IP VPN associations
because the Sidewinder G2 can use the IP address to determine
who the client is and thus what password the client should be
using.
1. In the Firewall Identity Type field, select the type of identity to use when
identifying the Sidewinder G2 to the remote client. Valid options are:
E-mail address
Fully Qualified Domain Name
IP Address
Note: E-mail addresses are not recommended, as they are rarely used in the context
of a security gateway.
2. In the Value field, type the actual value used as the firewall identity. The
value must be of the type specified in the Firewall Identity Type field (for
example, if you selected IP Address in the Firewall Identity Type field, you
must type an IP address in the Value field.
3. Select the Gateway IP Address radio button if the Sidewinder G2 should
use the IP address of a Fixed IP client to determine what password the
client should be using.

Entering Certificate +
Certificate Authority
information on the
Authentication tab
Configuring VPN Security Associations
4. Select the Remote Identities radio button if the Sidewinder G2 should
use a remote identity to determine the ID of the client. Valid identities
for this association should be moved from the Available list to the
Trusted list.
5. [Optional] Click Remote Identities to go the Remote Identities window.
This is useful if you want to use an identity that has yet to be created.
When you add the identity and click Close, you will return to the
Password Authentication Identities tab.
6. Complete this tab by doing one of the following:
If you intend to change the Crypto or Advanced tab settings, go
directly to the next tab without clicking Add or Close.
If you do not intend to change the Crypto or Advanced tab
settings, click Add and then click Close. Click the Save icon.
If you do not want to save this Security Association entry, click
Close without clicking Add.
The Certificate + Certificate Authority tabs in the Authentication
window are used to define certificate and certificate authority
authentication for this VPN association. This means each peer must be
validated using certificates and remote identities before entering into
this VPN association. To configure the certificate and certificate
authority tabs, follow the steps below.
1. Select the Firewall Credentials sub-tab.
2. In the Firewall Certificate drop-down list, select the certificate that will
be used to identify the Sidewinder G2 to the remote peer. You can also
click the Firewall Certificates button to go to the Firewall Certificates
window. This is useful if you want to use a certificate that has yet to be
created.
Configuring Virtual Private Networks 13-59

Configuring VPN Security Associations
13-60 Configuring Virtual Private Networks
3. In the Firewall Identity Type field, select the type of identity to use when
identifying the Sidewinder G2 to the remote client. Valid options are:
E-Mail
Fully Qualified Domain Name
IP Address
Distinguished Name
Note: Only those identities defined within the selected firewall certificate will be
available in this field.
Note: The Value field contains the actual value used as the Sidewinder G2 identity.
This value is filled-in automatically using the information from the selected
certificate. The field cannot be edited.
4. [Conditional] Select the Require Extended Authentication check box if
you want to use Extended Authentication. This check box is available
only if an authentication method is configured for the ISAKMP server.
See “Extended Authentication for VPN” on page 13-8 for more
information on extended authentication.
5. Select the Remote Credentials sub-tab.
6. In the list of Available Certificate Authorities, select a CA you want to
add as a trusted CA and click the ==>> button to add the CA to the
Trusted List. You can add several trusted CAs. To select a CA that has yet
to be defined, click the Cert Authorities button to go to the Certificate
Authorities window. In this window you can define the needed CA, and
then return here.
7. In the list of Available Remote Identities, select a remote identity you
want to add to the Trusted identity list and click the ==>> button. You
can add several trusted remote identities. To select an identity that has
yet to be defined, click the Remote Identities button to go to the
Remote Identities window. This window allows you to define the
needed identity, and then return here.
8. Complete this tab by doing one of the following:
If you intend to change the Crypto or Advanced tab settings, go
directly to the next tab without clicking Add or Close.
If you do not intend to change the Crypto or Advanced tab
settings, click Add and then click Close. Click the Save icon to save
your changes.
If you do not want to save this Security Association entry, click
Close without clicking Add.

Entering Single
Certificate information
on the Authentication tab
Configuring VPN Security Associations
The Single Certificate screen in the Authentication window is used to
define single certificate authentication for this VPN association. This
means the remote peer must use the selected remote certificate for
authentication before entering into this VPN association. To enter
certificate authentication information, follow the steps below.
1. In the Firewall Certificate drop-down list of available certificates, select
the certificate used to authenticate the key exchange. To create or
import a certificate, click the Firewall Certs button to go to the Firewall
Certificates window. See “Configuring and displaying firewall
certificates” on page 13-37 and “Importing a firewall certificate” on page
13-46 earlier in this chapter for details.
2. In the Remote Certificate drop-down list, select the certificate used on
the remote end of the VPN. To create or import a certificate, click the
Remote Certs button to go to the Remote Certificates window. See
“Configuring and displaying remote certificates” on page 13-40 and
“Importing a remote certificate” on page 13-47 for details.
3. In the Firewall Identity Type field select the type of identity to use when
identifying the Sidewinder G2 to the remote client. Valid options are:
Distinguished Name
E-mail address
Fully Qualified Domain Name
IP Address
Note: Only those identities defined within the selected firewall certificate will be
available in this field.
Note: The Value field contains the actual value used as the firewall identity. This
value is filled-in automatically using the information from the selected certificate.
The field cannot be edited.
4. [Conditional] Select the Require Extended Authentication check box if
you want to use Extended Authentication. This check box is available
only if an authentication method is configured for the ISAKMP server.
See “Extended Authentication for VPN” on page 13-8 for more
information on extended authentication.
5. Complete this tab by doing one of the following:
If you intend to change the Crypto or Advanced tab settings, go
directly to the next tab without clicking Add or Close.
If you do not intend to change the Crypto or Advanced tab
settings, click Add and then click Close. Click the Save icon to save
your changes.
If you do not want to save this Security Association entry, click
Close without clicking Add.
Configuring Virtual Private Networks 13-61

Configuring VPN Security Associations
Entering Manual
information on the
Authentication tab
13-62 Configuring Virtual Private Networks
The Manual screen in the Authentication window is used to define
manual authentication for this VPN association. This means that only a
remote peer that has entered the exact same manual key value will
have access through this VPN association. To configure manual
authentication, follow the steps below.
1. In the IPSEC Transformations drop-down list, select the appropriate form
of IPsec transformation. The valid options are:
Authentication Header (AH)—Provides authentication only.
Encapsulating Security Payload (ESP)—Provides encryption only.
Separate AH + ESP—Performs separate transformations for
authentication and encryption.
Combined ESP + AH—Performs a single transformation that
provides authentication and encryption.
2. In the Authentication Hash drop-down list, select the type of
authentication you and the remote end have chosen to use. The valid
options are:
HMAC-SHA1-96
HMAC-MD5-96
3. In the Encryption drop-down list, select the type of encryption you and
the remote end have chosen to use. The choices are:
Encryption type Key length
AES256 256-bit
AES128 128-bit
CAST128 128-bit
3DES 168-bit
DES 56-bit
Null 0
4. To define keys and SPI index values, click Generate Keys. You can type
your own unique key and SPI index, but it is not recommended.
Since manually generating random keys is difficult, the Sidewinder G2
provides randomly generated authentication and encryption keys and
Security Parameters Index (SPI) value for you and the remote end to use.
It is highly recommended that you use the default keys provided. You
must send these keys and SPI values to the remote end for them to use.

Configuring VPN Security Associations
Note: The individual key and SPI fields listed below may become available or
unavailable depending on the value selected in the IPsec Transformations field.
AH Inbound Key and SPI
AH Outbound Key and SPI
ESP Inbound Key and SPI
ESP Outbound Key and SPI
Important: Once you have chosen the keys, they must be kept a secret. You should
only exchange the keys by a secure method, such as floppy disk, encrypted e-mail
(such as PGP) or via the telephone. If attackers learn the key, they can decrypt all of
your VPN traffic.
5. To complete the manual key exchange, you must exchange these keys
and Security Parameters Index (SPI) values with the remote end via a
secure method (diskette, encrypted e-mail or telephone).
Note: The inbound and outbound keys/SPIs are entered in the opposite fields on the
remote end.
In the Authentication section, type the key and SPI used by the
remote end.
In the Encryption section, type the key and SPI used by the remote
end.
Important: You must be sure to type the key correctly or the VPN will not work.
Entering information on the Crypto tab
The Crypto tab defines the cryptographic and hashing algorithms used
to authenticate the peer in this VPN association. The information on
this tab is only used with automatic key exchange (that is,
Authentication Method = Password, Certificate + Certificate Authority,
or Single Certificate on the Authentication tab). To configure the
Crypto tab follow the steps below.
1. In the IPSEC Crypto Algorithms area, select an algorithm from the
Available list of available encryption algorithms, and click the ==>>
button to move it to the Accept list. You can have multiple algorithms in
the Accept list.
Use the Up and Down buttons to organize the algorithms according to
your preference. The first algorithm that appears in the Accept list will
be used.
Note: The Null option contains an encryption header but does not specify an
encryption algorithm. It is generally only used during testing. Compare this to the
None option, which does not contain an encryption header.
Configuring Virtual Private Networks 13-63

Configuring VPN Security Associations
Entering information on the
Advanced tab
13-64 Configuring Virtual Private Networks
2. In the IPSEC Hashing Algorithms area, select an algorithm from the
Available list of available hashing algorithms, and click the ==>> button
to move it to the Accept list. You can have multiple algorithms in the
Accept list.
Use the Up and Down buttons to organize the algorithms according to
your preference. The first algorithm that appears in the Accept list will
be used.
The Advanced tab defines some of the more arcane points of a VPN
association. As a general rule only administrators that are highlyschooled
in the nuts and bolts of VPN should modify the information
on this tab. The information on this tab is only used with automatic
key exchange (that is Authentication Method = Password, Certificate +
Certificate Authority, or Single Certificate on the Authentication tab).
The Advanced tab contains the following fields and buttons.
Phase 1 (ISAKMP) Rekey data fields
Hard Limits—Indicates how often the system must negotiate for
new ISAKMP keys and how much ISAKMP traffic this phase can
protect. The defaults are 3600 seconds (1 hour) and 0 (meaning no
limit to the amount of traffic).
Soft Percentage—Indicates how far in advance of the hard limit to
begin negotiating for new keys. This makes sure you have some
new keys on hand by the time the hard limit expires.
P1 Crypto—Specifies the crypto algorithm to use during Phase 1.
P1 Hash: Specifies the hash algorithm to use during Phase 1.
P1 Oakley—Indicates the Diffie-Hellman group to use for the PFS
derivation of ISAKMP keys.
Force XAuth on Rekey—Select this option to force XAuth to be
performed each time the phase 1 session is started or renegotiated.
Phase 2 (IPSEC) Rekey data fields
Hard Lifetimes—Indicates how often the system must negotiate for
new IPsec keys and how much traffic it can encrypt. The defaults
are 700 seconds and 0 (meaning no traffic limit).
Soft Percentage—Indicates how far in advance of the hard limit to
begin negotiating for new keys. This makes sure you have some
new keys on hand by the time the hard limit expires.

Example VPN
Scenarios
Example VPN Scenarios
Negotiate As Single Host—If this option is enabled it indicates that
every possible combination of source and destination must
establish a separate VPN association. Do not use this option unless
directed to do so by Secure Computing Corporation.
Forced Rekey—Forces the association to rekey when the limits are
reached, even if no traffic has passed through the VPN since the
last rekey.
Important: SCC strongly recommends enabling the Forced Rekey option if you
are using SafeNet SoftRemote and have XAUTH configured.
Caution: Do not enable the Forced Rekey option if you have One-To-Many
configured and are using static IP addresses for your VPNs. Doing so will cause all
Sidewinder G2s in the cluster to attempt to instantiate the VPN at the same time,
resulting in failure.
PFS—(Perfect Forward Secrecy) If this option is enabled it ensures
that the key material associated with each IPsec security
association cannot be derived from the key material used to
authenticate the remote peer during the ISAKMP negotiation. If a
key is compromised by a hacker, the information available to that
hacker is dependent on whether you select Identity or Key Only.
— Identity: Indicates that a Phase 1 negotiation is performed for
every Phase 2. This means the identity will not be revealed
even if the key is compromised; only the data protected by
that key will be accessible. The downside is that system
performance may be hurt because of the many negotiations.
— Key Only: Phase 1 negotiations are not performed for every
Phase 2. This will increase performance but may allow access
to the identity if the key is compromised.
Oakley Group: Indicates the Diffie-Hellman group to use for the PFS
derivation of IPsec keys. Available only if the PFS option is
enabled.
The following sections describe three typical VPN scenarios. Each
scenario begins by describing a particular VPN requirement. It then
explains how to implement the solution using the Admin Console.
These scenarios assume the following:
The VPN feature is licensed for your Sidewinder G2.
The CMD server is enabled on the Sidewinder G2. (This server will
be enabled by default.)
Configuring Virtual Private Networks 13-65

Example VPN Scenarios
Figure 13-18. VPN
between two corporate
offices
13-66 Configuring Virtual Private Networks
The ISAKMP server is enabled on the appropriate burb. See
“Configuring the ISAKMP server” on page 13-11 for information on
enabling this server. In the scenarios that follow, it is assumed the
server is enabled on the Internet burb.
The proper rule(s) are defined to allow ISAKMP traffic on the
proper burb(s). In the scenarios that follow it is assumed a rule has
been defined that allows ISAKMP traffic on the Internet burb.
Note: The values used in the following scenarios are for demonstration purposes only.
Scenario 1: Sidewinder G2-to-Sidewinder G2 VPN via
shared password
The easiest type of VPN association to configure is one that uses a
shared password for authentication. A shared password is typically
used to establish a VPN association between two corporate offices
that have static IP addresses. Such a situation occurs if you have a
business partner that requires access to your network, or if you have
one or more corporate divisions located in different cities.
The following figure provides the sample configuration information
used in this scenario.
Sidewinder G2
50.1.0.0/16 100.1.1.1
fw.west.bizco.net
The requirements This VPN scenario requires the following:
A VPN connection between two corporate offices
Shared password authentication
200.1.1.1
Sidewinder G2
Internet
burb
Trusted
burb
fw.east.bizco.net
Static IP addresses for each peer in the VPN association
250.1.1.0/24

Example VPN Scenarios
How it is done The following steps show the fields on the VPN menus that must be
defined in order to create this VPN association. The configuration
steps are performed on the Sidewinder G2 named fw.east.bizco.net.
In the Admin Console, select VPN Configuration -> Security Associations,
and then click New to configure a new association.
1. On the General tab:
Name = corporate_west
Encapsulation = Tunnel
Mode = Fixed IP
Enabled = Yes
Burb = Trusted
Local IP = localhost
Remote IP = 100.1.1.1
Client Address Pool =
Local Network / IP = 250.1.1.0/24
Remote Network / IP = 50.1.0.0/16
Note: When configuring the Sidewinder G2 named fw.west.bizco.net, the Local Network/
IP and the Remote Network/IP values are reversed and the Remote IP value is 200.1.1.1.
2. On the Authentication tab:
Authentication method = password
Enter password = samplepassword
Verify password = samplepassword
3. On the Crypto tab: Order the algorithms to match that of the other
Sidewinder G2.
4. On the Advanced tab: No changes needed.
5. Click Add to save the new VPN security association.
6. Click the Save icon.
Summary And that is it. The VPN can be used as soon as the other Sidewinder
G2 is configured. The same type of information is entered at the other
Sidewinder G2, changing the IP addresses as appropriate.
Configuring Virtual Private Networks 13-67

Example VPN Scenarios
Figure 13-19. One VPN
association per client
13-68 Configuring Virtual Private Networks
Scenario 2: Simple deployment of remote users
A common reason for using a VPN is to allow your travelling
employees to connect to your corporate network from a remote site.
This connection is typically made between an employee’s laptop
computer and your corporate Sidewinder G2. In this type of VPN
association, single (also known as "self-signed") certificates are
generated by the Sidewinder G2 and distributed to each client. This
type of VPN can be used with dynamic IP-assigned clients and
gateways. One association must be created for each client, so this type
of VPN is typically used only if you have a small number of remote
clients.
The following figure provides the sample configuration information
used in this scenario. Note that the remote end of this VPN connection
(from the Sidewinder G2 point of view) is a laptop that will be using a
dynamic IP address.
VPN
Client A
VPN
Client B
Internet
The assumptions This VPN scenario assumes the following:
Sidewinder G2
200.1.1.1 Internet
burb
Trusted
burb
250.1.1.0/24
Host
Virtual
burb
fw.east.bizco.net
Router
192.168.182.0
A VPN connection between a remote computer and the
Sidewinder G2
A self-signed firewall certificate that is generated by the Sidewinder
G2
One or more remote certificates that is generated by the
Sidewinder G2 and distributed to the clients
One VPN association per client
Each VPN association is terminated in the Virtual burb
VPN clients should have access to the 250.1.1.0 network but not
the 192.168.182.0 network
Host

Example VPN Scenarios
All clients make connections using a virtual IP address assigned
from a client address pool
All clients use VPN client software that supports mode-config
Important: When determining your deployment method, consider what steps will you
take to ensure the protection of your private key material. Allowing unauthorized access to
your private key material could compromise your entire network.
How it is done The following steps show the fields on the VPN menus that must be
defined in order to create this VPN association. The basic idea is to:
— Create a firewall certificate that identifies the Sidewinder G2.
Export this certificate to each client.
— Create a remote certificate that uniquely identifies each client.
Export each certificate to the respective client.
— Create a client address pool.
— Create a VPN association for each client.
1. In the Admin Console, select Services Configuration -> Certificate
Management, and then enter the following information on each tab:
a. On the Firewall Certificates tab, click New and create a firewall
certificate by specify the following:
Certificate Name = MyFirewall_cert
Distinguished Name: CN=MyFirewall,O=bizco,C=US
Submit to CA = Self Signed
Signature Type = RSA
Click Add.
Click the Save icon.
b. [Optional] On the Firewall Certificates tab, click Export and export
the firewall certificate by specify the following:
Destination = File
Export Private Key to File: Click Browse and specify where you
want to save the private key. The private key is often saved to an
accessible location (portable storage device or protected
network) for distribution to the client.
Export Firewall Certificate to File: Click Browse and specify where
you want to save the firewall certificate. The firewall certificate is
often saved to an accessible location (portable storage device or
protected network) for distribution to the client.
Click OK.
Configuring Virtual Private Networks 13-69

Example VPN Scenarios
13-70 Configuring Virtual Private Networks
c. On the Remote Certificates tab click New and create a self-signed
certificate for a client by specify the following:
Certificate Name = Sales_A
Distinguished Name: CN=Sales_A,O=bizco,C=US
Submit to CA = Self Signed
Signature Type = RSA
Important: If you are using SafeNet SoftRemote as your client software, you must
create this file using the PKS12 extension.
Click Add.
Click the Save icon.
d. Repeat step 1c for each remote client.
e. On the Remote Certificates tab, click Export and export the remote
certificate by specify the following:
Destination = File
Export Client Private Key to File: Click Browse and specify where
you want to save the private key.
Export Client Certificate to File: Click Browse and specify where
you want to save the client certificate.
Format: Select the appropriate format for the client private key
and client certificate in the corresponding Format drop-down
lists.
Click OK.
f. Repeat step 1e for each remote client. When you are finished you
should have the firewall certificate as well as either the PKCS12formatted
object or the certificate/key file pair for that client saved
to a location accessible by the remote client (portable storage
device or network)
2. In the Admin Console, select VPN Configuration -> Client Address Pools,
and then click New to create a new client address pool.
Using a client address pool lets you define which local networks the
clients can access. For this example, assume you want to permit access
to the 250.1.1.0 network but not the 192.168.182 network.
Note: Your client software must support this capability. SafeNet SoftRemote
currently does not support this capability—it must be manually configured with
information about the locally protected subnet.
a. Enter New Pool Name = SalesPool
b. Virtual Subnet = 10.1.1.32/27

Example VPN Scenarios
c. Click New. In the Local Subnet field, enter 250.1.1.0/24 and then click
Add.
d. Click Add to add the new pool.
Note: The Subnet and Number of Bits in Netmask fields work in concert to
determine the network portion of the addresses in the pool as well as the total
number of addresses in the pool. The values shown here provide 30 possible
addresses: 10.1.1.33 - 10.1.1.62. Modify these two values as appropriate for your
situation. (For example, in this scenario you might alternatively specify IP Address =
10.1.1.16 and Netmask = 28, creating 14 possible addresses: 10.1.1.17 - 10.1.1.30.)
e. On the Servers tab: If the client software you are using supports this
mode-config capability, specify your internal DNS and WINS servers
here.
f. Click Add.
3. In the Admin Console, select VPN Configuration -> Security Associations,
and then click New to configure a new association.
a. On the General tab:
Name = Sales_A
Encapsulation = Tunnel
Mode = Dynamic IP Restricted Client
Enabled = Yes
Burb = Virtual
Local IP = localhost
Client Address Pool = SalesPool
b. On the Authentication tab:
Authentication method = Single Certificate
Firewall Certificate = Select the certificate you created in step 1A
Remote Certificate = Select the certificate you created in step 1C
for this client
c. On the Crypto tab: Order the algorithms to match that of the client
d. On the Advanced tab: No changes needed
e. Click Add to save the new VPN association.
f. Click the Save icon to save your changes.
4. Repeat step 3 for each client, changing the name in step 3A and the
remote certificate in step 3B as appropriate.
Configuring Virtual Private Networks 13-71

Example VPN Scenarios
Summary Each individual VPN connection can be used as soon as the remote
clients are configured. Each client will need the client-specific
certificate and private key information you saved in steps 1B and 1C
in order to configure their end of the VPN connection. If you saved
this information to diskette you can either hand it to them in person,
mail it to them, or perform the imports while the machine is within a
trusted network. It is not safe to distribute certificate and private key
information via e-mail.
Figure 13-20. One VPN
association for all clients
13-72 Configuring Virtual Private Networks
Note: The configuration described above restricts VPN traffic by terminating it in a virtual
burb. Proxies and rule entries must be configured to specify what access the VPN clients
have to the trusted network.
Scenario 3: Large scale deployment of clients
This scenario is similar to Scenario 2 except that instead of a small
number of remote clients it assumes you have hundreds or even
thousands of remote clients. Because it is unreasonable to create a
unique VPN association for each client, a Certificate Authority (CA)
will be used. The CA, in conjunction with the remote identities you
define, allows you to create one VPN that is accessible by all of the
clients.
The following figure provides the sample configuration information
used in this scenario.
VPN
Client A
VPN
Client B
VPN
Client ZZZ
Internet
Sidewinder G2
200.1.1.1 Internet
burb
Trusted
burb
250.1.1.0/24
Host
Virtual
burb
fw.east.bizco.net
Host
Router
192.168.182.0

The assumptions This VPN scenario assumes the following:
Example VPN Scenarios
A VPN connection between a Sidewinder and many clients
A Certificate Authority-based VPN
A single VPN association for all clients with a like security policy
rather than one association per client
The VPN association is terminated in a virtual burb
The clients can have dynamic or static IP addresses
VPN clients should have access to the 250.1.1.0 network but not
the 192.168.182.0 network
All clients make connections using a virtual IP address assigned
from a client address pool
All clients are using VPN client software that supports mode-config
Note: It is assumed in this scenario that the clients do not have access to the CA and must
rely on the Sidewinder G2 to create and distribute the necessary certificates and private
keys.
How it is done The following steps show the fields on the VPN menus that must be
defined in order to create this VPN association. The basic idea is to:
— Define the CA used with this VPN
— Create a firewall certificate that is signed by the CA
— Create one or more identities that define who is authorized to
use this VPN
— Create a client address pool
— Create the VPN security association
— Create the client certificates for each client
— Provide certificate information and/or files to clients as
necessary
Tip: Some VPN client software, such as SafeNet SoftRemote, allow users to self-enroll
online to obtain their personal certificates, which can greatly reduce administrative effort.
See the VPN Admin Guide for more details.
Configuring Virtual Private Networks 13-73

Example VPN Scenarios
13-74 Configuring Virtual Private Networks
1. In the Admin Console, select Services Configuration -> Certificate
Management, and then enter the following information on each tab.
a. On the Certificate Authorities tab, click New and create a CA by
specifying the following:
CA Name = BizcoCA
Type = SCEP (or whatever value is appropriate)
URL = http://10.18.128.8
Click Add.
Click the Save icon to save your changes.
Click Get CA Cert (Retrieves the CA Cert from the URL address.)
Click Get CRL (Retrieves the Certificate Revocation List for this CA.)
b. On the Firewall Certificates tab, click New and create a firewall
certificate by specifying the following:
Certificate Name = BizcoFW_by_CA
Distinguished Name: CN=BizcoFW_by_CA,O=Bizco,C=US
Submit to CA = BizcoCA
Signature Type = RSA
Click Add.
Click the Save icon to save your changes.
At this point the Status field for this certificate will be PENDING. This is
because the request has been sent to the CA but the certificate has yet
to be created. The status will remain PENDING until the CA
administrator approves your request.
Click Query. This queries the CA to see if the certificate is
approved. If yes, the Status field will change to SIGNED and the
certificate is imported.
Note: The Sidewinder G2 automatically queries the CA every 15 minutes to see if the
request has been accepted. If the request has been accepted, the Sidewinder G2 will
retrieve the resulting certificate.
c. On the Remote Identities tab, click New and create one or more
identities that define who is authorized to use this VPN.
Identity Name = Sales_force
Distinguished Name: CN=*,OU=sales,O=bizco,C=us
Click Add.
Click Close.
Click the Save icon to save your changes.

Example VPN Scenarios
2. In the Admin Console, VPN Configuration -> Client Address Pools, and
then click New to create a new client address pool.
Using a client address pool lets you define which local networks the
clients can access. For this example, assume you want to permit access
to the 250.1.1.0 network but not the 192.168.182 network.
Note: Your client software must support this capability. SafeNet SoftRemote
currently does not support this capability—it must be manually configured with
information about the locally protected subnet.
a. Enter New Pool Name = SalesPool
b. Virtual Subnet = 10.1.1.0/24
c. Click New. In the Local Subnet field, enter 250.1.1.0/24 and then click
Add.
d. Click Add to add the new pool.
Note: The IP Address and Number of Bits in Netmask fields work in concert to
determine the network portion of the addresses in the pool as well as the total
number of addresses in the pool. The values shown here provide 254 possible
addresses: 10.1.1.0–10.1.1.255. Modify these two values as appropriate for your
situation.
e. On the Servers tab:
If the client software you are using supports this mode-config
capability, specify your internal DNS and WINS servers here.
f. Click Add.
g. Click the Save icon to save your changes.
3. In the Admin Console, VPN Configuration -> Security Associations, and
then click New to configure a new association.
a. On the General tab:
Name = Large_scale_sales
Encapsulation = Tunnel
Mode = Dynamic IP Restricted Client
Enabled = Yes
Burb = Virtual
Local IP = localhost
Client Address Pool = VPNPool
Configuring Virtual Private Networks 13-75

Example VPN Scenarios
13-76 Configuring Virtual Private Networks
b. On the Authentication tab:
Authentication method = Certificate + Certificate Authority
Firewall Certificate = BizcoFW_by_CA (created in step 1B)
Certificate Authorities = BizcoCa (created in step 1A)
Remote Identities = Sales_force (created in step 1C)
c. On the Crypto tab: Order the algorithms to match that of the client.
d. On the Advanced tab: No changes needed
e. Click Add to save the new VPN association.
f. Click the Save icon to save your changes.
4. In the Admin Console, Services Configuration -> Certificate Management.
On the Remote Certificates tab click New and create a certificate for a
client by specifying the following:
Note: You can skip this step and step 5 for those clients that have online access to
the CA. These clients can create and retrieve their own certificates.
Certificate Name = Sales_A
Distinguished Name: CN=Sales_A,OU=sales,O=bizco,C=US
Submit to CA = BizcoCA
Signature Type = RSA
Private Key: Click Browse and specify where you want to save the
private key associated with this certificate. In this scenario it is
common to save the certificate to the same location as the
exported firewall certificate.
Certificate: Click Browse and specify where you want to save this
certificate. In this scenario it is common to save the certificate to
the same location as the private key and the exported firewall
certificate.
Click Add.
Click the Save icon to save your changes.
5. In the Admin Console, Services Configuration -> Certificate Management.
Export the CA certificate and the firewall certificate to the same location
used in step 4.

Example VPN Scenarios
a. On the Certificate Authorities tab, select the CA certificate you
created in step 1A, then click Export and export the certificate by
specifying the following:
Destination = File
Generated CA Certificate File: Click Browse and specify where you
want to save the CA certificate. Add the .pem extension to the file
name.
Click OK.
b. [Optional] On the Firewall Certificates tab, select the firewall
certificate you created in step 1B, then click Export and export the
certificate by specifying the following:
Destination = File
Export Firewall Certificate to File: Click Browse and specify where
you want to save the firewall certificate. Add the .pem extension
to the file name.
Click OK.
6. Repeat steps 4 and 5 for each remote client.
When you are finished your storage location should have four items for
each remote client: the CA certificate, the firewall certificate, the unique
private key for the client, and the remote certificate for the client.
Summary Sidewinder is ready to accept connections across this VPN as soon as
the remote clients are configured. In order to configure their end of
the VPN connection, each client will need the client-specific certificate
and private key information you saved in step 4 as well as the firewall
and CA certificates created in step 5. If you saved this information to
diskette you can either distribute the information in person or mail it
to them, or perform the imports while the machine is within a trusted
network. It is not safe to distribute certificate and private key
information via e-mail.
Note: The configuration described above restricts VPN traffic by terminating the VPN
association in a virtual burb. Proxies and rules must be configured to specify what access
the VPN clients have to the trusted network.
Configuring Virtual Private Networks 13-77

Example VPN Scenarios
13-78 Configuring Virtual Private Networks

C HAPTER 14
Configuring the SNMP
Agent
About this chapter This section introduces SNMP concepts and explains how to configure
the Sidewinder G2 SNMP agent. It also explains what needs to be
done to allow the Sidewinder G2 to send or route messages to remote
systems in an external network. The following topics are covered:
SNMP and
Sidewinder G2
“SNMP and Sidewinder G2” on page 14-1
“Setting up the SNMP agent on Sidewinder G2” on page 14-8
“About the management station” on page 14-10
“Communication with systems in an external network” on page 14-
11
The Sidewinder G2 supports SNMPv1 and SNMPv2c. SNMP is the
industry standard for network management. You can set up SNMP
agent software that allows the Sidewinder G2 to be monitored by
SNMP compliant network management stations located on an internal
or external network. You can also configure the Sidewinder G2 to
route SNMP messages between a management station inside the
Sidewinder G2 and an SNMP agent on a system in an external
network.
Note: The SNMP agent cannot run in the Firewall burb. Although only one SNMP agent is
allowed to operate on the Sidewinder G2, access through other burbs is supported using
the UDP proxy. In addition, SNMP will only accept requests addressed to the first interface
in a burb.
14
Configuring the SNMP Agent 14-1

14
SNMP and Sidewinder G2
Figure 14-1. Managing
distributed systems
using SNMP
14-2 Configuring the SNMP Agent
SNMP basics
A network that is managed using SNMP involves two primary
components: a manager (management station) and a number of
managed nodes. The management station is typically a PC or UNIX
workstation running network management software such as Hewlett-
Packard’s OpenView ® Windows or Novell ManageWise. Managed
nodes are networking devices such as routers or Sidewinder G2s that
contain an SNMP agent. Figure 14-1 shows a management station
communicating with SNMP nodes to obtain network configuration
information.
SNMP
Management
Station
Sidewinder G2
(managed
node)
R
router
(managed node)
server
(managed node)
The management station displays a graphical representation of a
network’s topology through a Windows-based environment. In
general, network managers can monitor each SNMP node (including
the Sidewinder G2) by clicking on an icon representing each node in
the network’s topology.
A management station in the internal or external network can request
information from a managed node’s SNMP agent. The SNMP
management station sends a managed node Get and GetNext SNMP
messages to retrieve node-specific parameters and variables, called
objects. The message response from the managed system provides the
SNMP administrator with information on a node’s device names,
status, network connections, etc.
Important: SNMPv1 agents typically allow Get, GetNext, and Set requests from the
management station. However, the Sidewinder G2 SNMPv1 agent does not support Set
requests. This prevents a management system from sending commands to change
variables or parameters in the Sidewinder G2.

Figure 14-2. Community
name within an SNMP
message
SNMP and Sidewinder G2
Each managed node can send an unsolicited event notification
message, called a trap, to a management station when it detects
certain system events. For example, you can configure the SNMP
agent in the Sidewinder G2 to issue a trap whenever an unauthorized
user tries to read, write, or execute a protected file on the Sidewinder
G2. (Refer to “Sidewinder G2 SNMP traps” on page 14-4” for a list of
all traps supported by the Sidewinder G2.)
When setting up SNMP management, a network administrator assigns
the management station and the nodes it will manage a community
name. As shown in Figure 14-2, the community name is in the
authentication header in each SNMP message exchanged between a
management station and a managed node.
VERSION
COMMUNITY
NAME
SNMP COMMAND: GET, GETNEXTREQUEST, ETC.
The SNMP agent treats the community name like a password to
validate the identity of a management station. For example, suppose a
management station sends a get request to retrieve information from
a managed node’s SNMP agent. If the community name within the
get request is not also used by the SNMP agent, the agent will not
return information to the management station.
Caution: To increase security on your network, DO NOT use common default names
such as "public" or "private," which can be easily guessed.
Both the management station and the managed node also contain
Management Information Bases (MIBs) that store information about
the managed objects. Currently, the SNMP agent on the Sidewinder
G2 supports standard MIB II objects, the Host Resources MIB
(RFC1514), and the Sidewinder G2-specific MIB objects. MIBs are
discussed in greater detail later in this chapter.
Note: The MIBs used for compiling the SNMP agent for the Sidewinder G2 are located in
/etc/sidewinder/snmp.
If you need more information on SNMP, an excellent source is
Managing Internetworks with SNMP by Mark A. Miller, P.E. (M&T
Books).
Configuring the SNMP Agent 14-3

SNMP and Sidewinder G2
14-4 Configuring the SNMP Agent
Sidewinder G2 SNMP traps
An SNMP trap is an alert message that is sent as an unsolicited
transmission of information from a managed node (router, Sidewinder
G2, etc.) to a management station. Most management stations can be
configured to either: (1) display received traps in a pop-up window,
or (2) automatically dial a phone number; such as a pager number.
The Sidewinder G2 SNMP agent supports a basic trap, called the
ColdStart trap, that is sent whenever the SNMP agent in the Sidewinder
G2 is enabled. It is also sent if the SNMP configuration file
(/etc/sidewinder/snmp/snmpd.conf) is modified by the Admin
Console.
Note: You cannot disable the ColdStart trap.
You also have the option to configure the Sidewinder G2 to send
audit alarm SNMP traps when an audit event triggers an alarm in the
Sidewinder G2. Pre-defined alarm events in the Sidewinder G2 are
contained in the 200 range (for example, 201, 202). You also have the
option to create your own custom traps as well. Custom traps will
return messages that contain numbers 215–225. For a list of available
SNMP traps, see the
cf snmptrap man page.
To configure the Sidewinder G2 to send the following pre-defined
traps, refer to “Configuring alarm events and event responses” on
page 17-1.
ATTACK_ATTEMPT—This trap is sent when an attack attempt (that is,
any suspicious occurrence) is identified by one of the services on
the Sidewinder G2. For example, if the Network Services Sentry
(NSS) detects a suspicious IP address on an incoming connection,
it will issue an attack attempt trap.
FAILOVER_EVENT—This trap is sent any time a Sidewinder G2
changes its status in an HA cluster from secondary to primary, or
from primary to secondary.
MAIL_FILTER_FAILURE—This trap is sent when SMTP mail messages
fail a configured mail filter. For example, if a mail message failed
the Key Word Search filter, a mail filter failure event would be
logged.
Note: The mail filter map configuration determines what is done with failed
messages.

SNMP and Sidewinder G2
IPSEC_FAILURE—This trap is sent when IPSec errors exceed the
configured threshold values.
LICEXCEED_FILTER—This trap is sent when users are denied access
through the Sidewinder G2 due to a user license cap violation.
LOG_FILE_OVERFLOW—This trap is sent when the Sidewinder G2
audit logs are close to filling the partition.
PROBE_ATTEMPT—This trap is sent when network probe attempts
are detected (that is, any time a user attempts to connect or send a
message to a TCP or UDP port that either has no service associated
with it or it is associated with an unsupported service). The
Sidewinder G2 offers two methods for your site to ignore network
probe attempts:
— Create an IP Filter Deny rule: You can create an IP Filter deny rule
to discard probes coming from recognized offenders. For
information on creating an IP Filter deny rule, see “Creating IP
Filter rules” on page 7-12.
— Create an ignore list: You can create an ignore list that will
ignore probe attempts and generate an audit event. For
information on creating an ignore list, see “Ignoring network
probe attempts” on page 17-17.
ACCESS_CONTROL—This trap is sent when the number of denied
access attempts to services exceeds a specified number. For
example, you may set up your system so that internal users cannot
FTP to a certain Internet address. If a user tried to connect to that
address, the attempt would be logged as a denial.
UPS_POWER_FAILURE—This trap is sent when a connected
Uninterruptible Power Supply (UPS) has a power failure and the
Sidewinder G2 is running on UPS battery power.
PROXY_FLOOD—This trap is sent when potential connection attack
attempts are detected. A connection attack is defined as one or
more addresses launching numerous proxy connection attempts to
try and flood the system. When NSS receives more connection
attempts than it can handle for a proxy, that proxy is briefly
stopped (to allow the proxy to "catch up") and is then restarted,
and an audit event is created.
DENIED_AUTH—This trap is sent when a user attempts to
authenticate and enters invalid data. For example, if a user is
required to enter a password and entered it incorrectly, the denied
auth_filter would log the event.
Configuring the SNMP Agent 14-5

SNMP and Sidewinder G2
14-6 Configuring the SNMP Agent
Note: This type of event is not logged when an administrator attempts to switch to
an unauthorized role (srole) or enter incorrect login information.
UPS_SYSTEM_SHUTDOWN—This trap is sent when the Sidewinder
G2 has been running on UPS battery power for the estimated
battery time. (See “Configuring the Sidewinder G2 to use a UPS”
on page 3-58 for additional information on UPS)
SYN_FLOOD_ATTACK—This trap is sent when the Sidewinder G2
encounters a SYN attack.
TE_VIOLATION—This trap is sent when an unauthorized user or
process attempts to perform an illegal operation on a file on the
Sidewinder G2.
NETWORK_TRAFFIC—This trap is sent when the number of traffic
audit events written by the various proxies (WWW, Telnet, FTP,
etc.) going through the Sidewinder G2 exceeds a specified number
in a specified time period. This information can be useful for
monitoring the use of the Sidewinder G2 services by internal users.
Note: Network traffic thresholds are reported as number of events per second, and
not as number of bytes per second.
CRIT_COMP_FAILURE—This trap when the Sidewinder G2 detects
that a critical component has failed. For example, this trap occurs
when daemond detects a software module has failed.
VIRUSMIME—This trap occurs when the number of mail or HTTP
messages that failed the MIME/Virus filter exceeds a specified
threshold in a specified time period.
Sidewinder G2 SNMP MIBs
Management Information Bases (MIBs) are associated with both the
management station and the SNMP agent in the Sidewinder G2. The
Sidewinder G2 SNMP agent supports two MIB structures (as well as a
Host MIB).
mib2—This is a standard SNMP MIB as defined in RFC-1213.
sccMibSw—This is a Sidewinder G2-specific MIB provided by
Secure Computing Corporation. Figure 14-3 shows the location of
the Sidewinder G2 MIB structures within the SNMP root hierarchy.
Note: MIBs that are used to compile the SNMP agent for the Sidewinder G2 are located in
/etc/sidewinder/snmp.

Figure 14-3. MIBs
supported by the
Sidewinder G2 SNMP
agent
SNMP and Sidewinder G2
All individual objects (parameters and variables) managed by an
SNMP management station are part of an object group within an MIB.
For example, the swProxy group stores information about currentlydefined
proxies on the system. The information might include the
proxy name and the current status of the proxy.
When a management station requests information from the
Sidewinder G2 SNMP agent, the SNMP agent may or may not
associate the returned information with a specific burb.
system
interfaces
mgmt
mib2
iso
org
dod
internet
ip tcp
icmp udp
snmp
private
enterprises
scc
sccMibs
sccMibSw
swProxy swBurb
Note: A burb is a type enforced network area used to isolate network interfaces from
each other. A burb is identified by a unique name (internal, external, etc.) as assigned
during the Sidewinder G2 installation process.
Configuring the SNMP Agent 14-7

Setting up the SNMP agent on Sidewinder G2
Setting up the
SNMP agent on
Sidewinder G2
Figure 14-4. SNMP
Configuration window
Entering information on the
SNMP Server Configuration
tab
14-8 Configuring the SNMP Agent
This section explains how to use the Admin Console to configure the
SNMP agent on the Sidewinder G2.
The SNMP agent may be enabled in any single burb that is not the
Firewall burb. It cannot be enabled on multiple burbs. To allow SNMP
management stations that reside in other burbs for the SNMP agent,
you must create an allow rule for SNMP and enable the SNMP proxy
in the appropriate burb(s). The source burb for this rule should
consist of a network object group that contains only SNMP
management station IP addresses. The destination burb should specify
the destination IP address for the burb in which SNMP is running. For
information on configuring network objects, see “Displaying network
objects and netgroups” on page 5-10. For information on configuring
an SNMP Application Defense, see “Creating SNMP Application
Defenses” on page 6-42.
Note: If you are configuring SNMP on a Sidewinder G2 that is part of an HA cluster, all
Sidewinder G2 queries must use the HA cluster address.
To set up the SNMP agent, in the Admin Console select Services
Configuration -> Servers. Select snmpd in the list of server names, and
then click the Configuration tab. The following window appears.
This window is used to enter configuration information for the SNMP
agent. Follow the steps below.

Defining a community
name
Setting up the SNMP agent on Sidewinder G2
1. [Optional] In the Location field, type a description of the physical
location of your Sidewinder G2.
2. [Optional] In the Contact field, type your Sidewinder G2 administrator
user name.
3. In the Enable Authentication Failure Trap field, select Yes to enable
authentication failure traps, or No to disable authentication failure traps.
If you click Yes, the Sidewinder G2 will send authentication failure traps
to all configured management stations whenever the Sidewinder G2
detects an unauthenticated Get command.
4. In the Allowed Get Communities you can view all of the community
names authorized to retrieve MIB information. The community name is
part of the authentication header in all SNMP messages. The Sidewinder
G2 SNMP agent checks the community name in all SNMP messages it
receives to verify the identity of a manager.
To add, modify, or delete communities, use the New, Modify, and Delete
buttons located directly beneath the list. See “Defining a community
name” on page 14-9 for information on adding or modifying a
community name.
Note: The SNMP daemon will not start unless a community name is specified. By
default, if you do not specify an Allowed Get Community name, the only Allowed
Get Community is “public.”
5. In the Trap Destinations field, you can view all of the hosts that will
receive traps generated by the Sidewinder G2 SNMP agent. To add,
modify, or delete trap destinations, use the New, Modify, and Delete
buttons located directly beneath the list. See “Defining a trap
destination” on page 14-10 for information on adding a new trap
destination name or IP address.
Note: By default, if you do not specify a trap destination community name, the
Sidewinder G2 uses the community name “public.”
6. Click the Save icon in the toolbar to apply the changes. If the SNMP
agent is enabled, a ColdStart trap is issued to all configured trap
destinations whenever you save configuration changes.
The Allowed Get Community window enables you to add or modify
names in the list of authorized community names. As an SNMP agent,
the Sidewinder G2 will only respond to requests from management
stations that belong to a community in this list. Follow the steps
below.
1. In the Community Name field, type the name you want added to the list
of allowed communities.
Configuring the SNMP Agent 14-9

About the management station
14-10 Configuring the SNMP Agent
2. Click Add to add the community to the list (or OK if you are modifying a
community) and return to the Configuration tab.
Defining a trap destination The Trap Destination window enables you to define a new host or to
modify an existing host in the Trap Destination list. The hosts in this
list will receive traps issued by the Sidewinder G2. Follow the steps
below.
About the
management
station
1. In the Host Name or Address field, type the name or IP address of the
host you want added to the Trap Destinations list.
2. [Optional] In the Community name field, type the community name
associated with this host.
3. Click Add to add the trap destination to the list (or OK if you are
modifying a trap destination) and return to the Configuration tab.
Enabling/disabling the SNMP server
Perform the following steps to enable or disable the SNMP server.
1. In the Admin Console select Services Configuration -> Servers.
2. Select snmpd from the list of server names, and then click the Control
tab.
3. Select the burb for which the SNMP agent will be enabled or disabled.
The SNMP agent can only be enabled for one burb, and it cannot be
enabled for the Firewall burb.
4. Click the Save icon.
Note: You must define an allow all rule for the SNMP agent before SNMP queries will be
allowed through the Sidewinder G2. For information on creating rules, see “Creating proxy
rules” on page 7-4.
Note: Enabling the SNMP server will cause the Sidewinder G2 to send a ColdStart trap to
the management station(s).
The administrator of the SNMP management station should be made
aware of the following in order to retrieve information from the
Sidewinder G2 SNMP agent:

Communication
with systems in an
external network
Communication with systems in an external network
Sidewinder G2 host name or IP address
This is needed to set up communication with the Sidewinder G2.
Note 1: If the burb in which the SNMP agent is running contains more than one
interface, specify the address of the first interface in the burb. The SNMP agent will
only respond to the first interface in the burb.
Note 2: If you are using High Availability (HA), specify the shared HA cluster IP
address or host name, not the actual interface address or host name.
Community names configured in the Sidewinder G2 SNMP agent
This is needed to allow the management station to retrieve MIB
objects from the SNMP agent.
MIB information
This may be needed to properly translate the object identifications.
Be sure to inform the administrator that the Sidewinder G2 supports
the Host Resources MIB.
Important: On the Sidewinder G2, all Secure Computing Corporation MIB files are
located in the /etc/sidewinder/snmp directory. If for some reason these files cannot
be accessed from the Sidewinder G2, they can be downloaded via an FTP client or
Web browser. The MIB files are scc-mib and scc-sw-mib.
To retrieve the files using anonymous FTP, use an FTP client and log in to
ftp.securecomputing.com. The directory where the files are located is /pub/mibs.
To retrieve the files using a Web browser, point the browser to
ftp://ftp.securecomputing.com/pub/mibs/.
You can route (or forward) SNMP messages between a management
station behind the Sidewinder G2 and any SNMP managed node on
the other side of the Sidewinder G2. You can also allow an external
management station to access the Sidewinder G2 SNMP agent. Both of
these scenarios require the use of a UDP proxy.
Important: A UDP proxy is not needed to allow the Sidewinder G2 SNMP agent to
communicate with a management station in an internal network (behind the Sidewinder
G2).
Figure 14-5 summarizes which SNMP configurations require you to
configure a UDP proxy.
Configuring the SNMP Agent 14-11

Communication with systems in an external network
Figure 14-5. Sidewinder
G2 serving as an SNMP
agent for internal or
external management
station
14-12 Configuring the SNMP Agent
internal
SNMP mgmt.
station
(OpenView)
no
proxy
needed
internal
network
SNMP
agent
UDP
proxy
external
network
UDP
proxy
SNMP
agent
Internet
The Sidewinder G2 UDP proxy sends SNMP requests and messages
via UDP port 161. The Sidewinder G2 UDP proxy sends SNMP traps
to an external management station via UDP port 162.
Important: Refer to “Setting up a new proxy” on page 8-31 for information on
configuring a UDP proxy.
Note: The SNMP agent cannot run in the Firewall burb. Although only one SNMP agent is
allowed to operate on the Sidewinder G2, access through other burbs is supported using
the UDP proxy.
R
external
SNMP mgmt.
station
(OpenView)

C HAPTER 15
One-To-Many Clusters
About this chapter This chapter describes the Sidewinder G2 clustering features that
allow you to manage multiple Sidewinder G2 Security Appliances.
This chapter covers the following topics:
“Overview” on page 15-1
“Example scenario using a One-To-Many cluster” on page 15-4
“Configuring One-To-Many” on page 15-5
“Understanding the One-To-Many tree structure” on page 15-13
Overview If your organization uses two or more Sidewinder G2s, the One-To-
Many feature allows you to easily manage your Sidewinder G2s at one
time. Changes you make in the Admin Console to your primary
Sidewinder G2 are automatically replicated to each secondary
Sidewinder G2. The changes are made to each secondary Sidewinder
G2 immediately, in real time.
You are most likely to use One-To-Many if you are managing several
Sidewinder G2s that are located in the same network, which is the
case if you are using load balancing hardware. This scenario is
depicted in Figure 15-1.
Note: When implementing One-To-Many, the preferred setup is to configure each
Sidewinder G2 with a dedicated cluster burb, allowing all communication between cluster
Sidewinder G2s to be contained within its own burb.
15
One-To-Many Clusters 15-1

15
Overview
Figure 15-1. A typical
One-To-Many and
Cloning implementation
15-2 One-To-Many Clusters
Sidewinder G2
administrator
Load
balancing
hardware
Your local
network
Primary
Secondary
Secondary
The One-To-Many feature is implemented in a "clustering" scheme.
Clustering is used when you introduce a load balancing tool (as
shown in Figure 15-1) into your network. All of the Sidewinder G2s
reside in the same network and are basically either backups of one
another or are being used to share the network load. In this scenario,
each Sidewinder G2 will have the same basic configuration (excluding
host names and IP addresses).
Tip: If you require centralized management to handle many Sidewinder G2s across
multiple networks, you may want to consider implementing the Sidewinder G2 Enterprise
Manager INSTEAD of using One-To-Many. For information on the Sidewinder G2
Enterprise Manager, go to Secure Computing’s Web site at www.securecomputing.com.
Considerations when using One-To-Many
Load
balancing
hardware
Please note the following considerations when using One-To-Many.
All Sidewinder G2s must be at the same version level.
Internet
You can define only one primary Sidewinder G2 for each cluster.
A Sidewinder G2 that is part of an HA cluster cannot participate in
a One-To-Many cluster.
You cannot use a G2 Enterprise Manager to manage a Sidewinder
G2 that belongs to a One-To-Many cluster.

Overview
DNS services must be configured identically on all Sidewinder G2s
that are part of the cluster.
You should not connect directly to a Sidewinder G2 that is
designated as a secondary Sidewinder G2, unless you are
configuring DNS.
Note: See “Understanding the One-To-Many tree structure” on page 15-13 for
details on configuring non-synchronized areas for secondary Sidewinder G2s.
If you have VPNs configured, you must ensure that your load
balancers are configured to send all traffic for a given VPN security
association to a single Sidewinder G2 within the cluster.
The burb names must be identical for each Sidewinder G2.
The corresponding burbs and NICs on each Sidewinder G2 must
all be on the same networks. For example:
Burb Primary A Secondary B Secondary C
Internet 10.1.182.15 10.1.182.25 10.1.182.35
Web 192.168.183.15 192.168.183.25 192.168.183.35
Cluster 192.168.184.15 192.168.184.25 192.168.184.35
Using IP aliases, redirected addresses, and multiple address
translation in proxy rules
If you use IP aliases, redirected addresses, or multiple address
translation (MAT) in any of the rules created on either the primary
Sidewinder G2 or on a secondary Sidewinder G2, this may cause
problems in a One-To-Many cluster. This is because IP aliases,
redirected addresses, and MAT define addresses that are specific to a
Sidewinder G2. A Sidewinder G2 that requires a unique IP address in
a rule is not a good candidate for inclusion in a One-To-Many
relationship.
However, if a Sidewinder G2 uses IP aliases or redirected addresses,
you can still include it in a One-To-Many cluster by doing the
following:
Note: This procedure will not work with MAT.
1. Define a group that contains all the alias IP addresses and redirected
addresses used by your Sidewinder G2s.
One-To-Many Clusters 15-3

Example scenario using a One-To-Many cluster
Example scenario
using a One-To-
Many cluster
15-4 One-To-Many Clusters
2. Use the group name in the rule rather than the specific IP address.
The group name will replace the unique IP alias or a redirected address
in the rule.
In the following example, there are three Sidewinder G2s protecting a
local network. Network traffic is load balanced across the Sidewinder
G2s using a load balancing tool such as Radware FireProof or F5
Networks BIG-IP ® Controller, similar to the configuration depicted in
Figure 15-1.
Because each Sidewinder G2 will be configured almost identically, the
One-To-Many feature simplifies the management process. Any
configuration changes you make from the primary Sidewinder G2 will
automatically be implemented on each of the secondary Sidewinder
G2s, ensuring that all of your Sidewinder G2s remain synchronized.
Example scenario requirements
This scenario requires the following:
Two or more Sidewinder G2s running at the same version.
A load balancing tool such as a Radware FireProof or F5 Networks
BIG-IP ® Controller.
The IP addresses used to access each Sidewinder G2 must all
reside in a burb of the same name. For example, in the sample
network configuration shown in Figure 15-2, if you are accessing
the Sidewinder G2s from the internal network, all IP addresses
used to access the Sidewinder G2 must reside in the burb named
internal.

Figure 15-2. Sample
network configuration
for One-To-Many
Configuring One-
To-Many
External Network = 192.168.182.x
192.168.182.1
Burb Name:
external
Burb Name:
cluster
Burb Name:
internal
A
10.1.183.1
Internal Network = 10.1.183.x
Burb Name:
external
Burb Name:
internal
Configuring One-To-Many
The following steps explain how to initiate a One-To-Many
relationship between multiple Sidewinder G2s.
B
192.168.182.2
10.1.183.2
Burb Name:
external
192.168.182.3
10.1.0.1 Burb Name: 10.1.0.2 Burb Name: 10.1.0.3
cluster
cluster
Burb Name:
internal
10.1.183.3
Note: A Sidewinder G2 cannot participate in a One-To-Many relationship if it is part of an
HA cluster.
Note: If a participating Sidewinder G2 has rules that use an IP alias or a redirect address,
see “Using IP aliases, redirected addresses, and multiple address translation in proxy rules”
on page 15-3.
Configuring a dedicated cluster burb for each Sidewinder
G2
Secure Computing recommends configuring a dedicated cluster burb
when setting up One-To-Many. This should be done prior to
configuring your Sidewinder G2s for One-To-Many. To add and
configure the cluster burb, follow the steps below.
1. Ensure that the Sidewinder G2 has an interface that can be dedicated to
internal One-To-Many communication.
2. In the Admin Console, connect to the Sidewinder G2 and select Firewall
Management -> Burb Configuration and create a cluster burb.
Important: The burb name for the cluster burb must be the same for each
Sidewinder G2 this will be participating in the One-To-Many cluster.
Note: See “Modifying the burb configuration” on page 3-48 for more information.
C
One-To-Many Clusters 15-5

Configuring One-To-Many
15-6 One-To-Many Clusters
3. Click the Save icon on the toolbar.
4. Go to Firewall Administration -> Interface Configuration to assign an
address and the cluster burb to the appropriate interface. (Be sure to
select Enable Interface.)
Note: See “Modifying the interface configuration” on page 3-50 for more
information.
5. Click the Save icon on the toolbar. (You do not need to reboot at this
time.)
6. Repeat these steps for each Sidewinder G2 that will be participating in
the One-To-Many cluster.
Configuring the primary in a new One-To-Many cluster
This section provides instruction on configuring your primary for
One-To-Many. Follow the steps below.
Important: It is recommended that you perform a system backup before configuring
One-To-Many. See “Backing up system files” on page A-4 for details.
Note: The entrelayd server will automatically become enabled in the cluster burb when
you configure One-To-Many.
1. Start the Admin Console, and log in to the Sidewinder G2 that will
become the primary.
2. In the tool bar, select the icon to launch the State Change Wizard.
(You can also access the State Change Wizard by clicking on the
Sidewinder G2 icon in the Admin Console tree and then clicking State
Change Wizard.) The Welcome window appears.
3. Click Next.
4. Select Not Enterprise Managed and click Next.
5. Select One-To-Many Cluster and click Next.
6. Select Create New Cluster and click Next.
7. In the One-To-Many Communication Configuration window, do the
following:
a. In the Cluster Burb field, select the burb that will be used for intracluster
policy communication. This is generally a dedicated burb. For
information on creating a dedicated cluster burb, see “Configuring a
dedicated cluster burb for each Sidewinder G2” on page 15-5.

Configuring One-To-Many
b. In the Primary IP Address field, select the IP address of the burb you
selected in step a.
Note: This address is required when you are joining additional Sidewinder G2s to
the One-To-Many cluster.
8. Click Next. The State Change Summary window displays a list of the
actions that will be performed when you click Execute.
If you want to make changes to your configuration before executing,
click Back to navigate to the appropriate window(s) and make the
necessary changes.
When you are satisfied with the summary of changes, click Execute. A
progress bar will appear while the configuration changes are made. If
the transition is successful, the Success window appears displaying the
new state.
To add an additional cluster member, see “Adding a secondary” on page
15-7.
Adding a secondary
Once you have created a One-To-Many cluster with a primary, you
can add one or more secondaries to be managed. Adding a secondary
to a One-To-Many cluster creates a placeholder for that Sidewinder
G2 within that cluster. Once you have added the Sidewinder G2, you
will need to join that Sidewinder G2 to the cluster before it can be
managed by the primary.
Using the Admin Console, connect to the primary One-To-Many
cluster member, and click One To Many Management in the Admin
Console tree. The One To Many Management window appears.
Tip: You can also get to this window by clicking the icon in the toolbar.
One-To-Many Clusters 15-7

Configuring One-To-Many
Figure 15-3. One To
Many Management
window
About the One To Many
Management window
About the Add Cluster
Member window
15-8 One-To-Many Clusters
In this window, you can do the following:
Add a secondary—To add a secondary to your One-To-Many cluster,
click New. The Add Cluster Members window appears. See “About
the Add Cluster Member window” on page 15-8 for information on
configuring this window.
View the status of a One-To-Many cluster—To view the status of a One-
To-Many cluster, click Cluster Status. The Cluster Member Status
window appears. For information on viewing the status of a
cluster, see “Viewing the status of a One-To-Many cluster” on page
15-10.
Modify the primary IP address—To change the primary IP address,
click Modify Primary Address. The Modify Primary Address window
appears. For information on modifying the IP address to determine
which Sidewinder G2 is the primary, see “Changing the primary in
a One-To-Many cluster” on page 15-11.
This window allows you to add a secondary to a One-To-Many
cluster.
Note: You will need to join the Sidewinder G2 to the One-To-Many cluster once you have
added the placeholder before it can participate in the One-To-Many cluster.
1. In the Cluster Member Name field, type the name of the secondary.
2. In the IP Address field, type the IP address in the cluster burb of the
secondary.

Configuring One-To-Many
3. In the Registration Key field, create the registration key for this
Sidewinder G2. This is a one-time key that you will use to register the
Sidewinder G2 to the One-To-Many cluster.
The key must be at least one character long and may consist of
alphanumeric characters, hyphens (-), and underscores (_).
4. Click Add to return to the One To Many Management window. The
secondary will appear in the One To Many Cluster Members table.
5. To register this Sidewinder G2 to a One-To-Many cluster, go to “Joining a
secondary to an existing One-To-Many cluster” on page 15-9.
Joining a secondary to an existing One-To-Many cluster
To join a Sidewinder G2 to an existing One-To-Many cluster, follow
the steps below.
Note: You must add a placeholder for the Sidewinder G2 in the One-To-Many cluster
before it can join the One-To-Many cluster. See “Adding a secondary” on page 15-7.
1. Connect to the Sidewinder G2 that will be joining the One-To-Many
cluster using the Admin Console.
2. In the tool bar, select the icon to launch the State Change Wizard.
(You can also access the State Change Wizard by clicking on the
Sidewinder G2 icon in the Admin Console tree and then clicking State
Change Wizard.) The Welcome window appears.
3. Click Next.
4. Select Not Enterprise Managed and click Next.
5. Select One-To-Many Cluster and click Next.
6. Select Join Existing Cluster and click Next.
7. In the Gathering information to join cluster window, configure the
following fields:
a. In the Primary IP Address field, type the IP address in the cluster burb
of the primary to which you are registering the secondary.
b. In the Cluster Member Name field, enter the name of the secondary
that you are registering (this is the name you entered when you
added the Sidewinder G2 to the One-To-Many cluster).
One-To-Many Clusters 15-9

Configuring One-To-Many
15-10 One-To-Many Clusters
c. In the Registration Key field, enter the registration key for this One-
To-Many cluster (this is the unique, one-time key that you created
for the secondary when you added it to the One-To-Many cluster).
8. Click Next. The State Change Summary window displays a list of the
actions that will be performed when you click Execute.
If you want to make changes to your configuration before executing,
click Back to navigate to the appropriate window(s) and make the
necessary changes.
When you are satisfied with the summary of changes, click Execute. A
progress bar will appear while the configuration changes are made. If
the transition is successful the Success window appears, displaying the
new state.
When the Sidewinder G2 is successfully joined to the One-To-Many
cluster, it will reboot automatically. When the Sidewinder G2 reboots, it
will be synchronized with the primary, and the One-To-Many cluster will
appear in the Admin Console tree as a single Sidewinder G2 icon. See
“Understanding the One-To-Many tree structure” on page 15-13 for
information on managing your One-To-Many cluster.
Viewing the status of a One-To-Many cluster
To view the status of a One-To-Many cluster, using the Admin
Console, connect to the primary and select One to Many Management.
The One to Many Management window appears. Follow the steps
below.
1. In the One to Many Management window, click Cluster Status. The
Cluster Member Status window appears.
The Cluster Member Status window consists of a table that lists each
Sidewinder G2 in the One-To-Many cluster by row, and provides the
following information:
Member Name—This column lists the name of each Sidewinder G2
that is included in the One-To-Many cluster.
Registration State—This column indicates whether the Sidewinder
G2 is Active (synchronized and running), Unregistered (running but
not registered and synchronized), or Inactive (registered, but has
not yet been initially synchronized with the primary).

About the Modify Primary
Address window
Configuring One-To-Many
Communications—This column indicates whether a remote
Sidewinder G2 is responding. A value of Up indicates that
communication is available. A value of Down indicates that the
Sidewinder G2 is offline or otherwise not responding.
Policy State—This column indicates whether the Sidewinder G2
policy is synchronized with the primary. A value of Up to date
indicates that the Sidewinder G2 is synchronized with the primary
configuration. A value of Not up to date indicates that the
Sidewinder G2 is not synchronized with the primary.
Changing the primary in a One-To-Many cluster
Under certain circumstances, you may need to designate a secondary
as the primary (for example, if the primary will be down indefinitely).
To transfer primary status to a secondary, follow the steps below.
Note: When you change the primary, all of the secondaries will be rebooted.
1. In the Admin Console, add a new Sidewinder G2 icon for the secondary
that you want to become the primary by clicking the New Firewall
icon and entering the appropriate information. (This is necessary
because when you register a secondary to a One-To-Many cluster, the
icon for the secondary is removed by default.)
Note: For information on adding a Sidewinder G2 to the Admin Console, see
“Adding a Sidewinder G2 to the Admin Console” on page 2-4.
2. Connect directly to the secondary by clicking on the secondary that
you added in the previous step. You will receive a warning message
stating that you should only modify information on the primary. Ignore
this message.
3. Select the One To Many Management option at the top of the secondary
tree. The One To Many Management window appears.
4. In the One To Many Cluster Member window, select Modify Primary
Address. The Modify Primary Address window appears. See “About the
Modify Primary Address window” on page 15-11.
This window allows you to select a new Sidewinder G2 to take over
as the primary.
1. In the Cluster Burb drop-down list, select the cluster burb.
2. In the One to Many Primary IP Address drop-down list, select the cluster
IP address for this Sidewinder G2.
One-To-Many Clusters 15-11

Configuring One-To-Many
15-12 One-To-Many Clusters
3. Click OK. You will be prompted to verify your decision. Click Yes to
transfer primary status to this Sidewinder G2. The secondaries that will
be managed by the new primary will be rebooted at this time. When
the secondaries finish rebooting, they will recognize the new primary.
Removing Sidewinder G2s from a One-To-Many cluster
The following procedures allow you to delete one or more
Sidewinder G2s from a One-To-Many cluster. This will cause the
Sidewinder G2(s) to revert to a stand-alone Sidewinder G2. Follow the
steps below.
Removing a secondary from a One-To-Many cluster
To remove a secondary from a One-To-Many cluster, follow the steps
below. Repeat for each secondary you want to remove.
1. Using the Admin Console, connect to the primary.
2. Select the One To Many Management option at the top of the
Sidewinder G2 tree. The One To Many Cluster Management window
appears.
3. Highlight the Sidewinder G2 that you want to remove from the cluster,
and click Delete. You will be prompted to confirm your decision. Click
Yes.
A pop-up window appears informing you that the secondary will be
rebooted. Click OK to reboot the secondary. When the Sidewinder G2
reboots, it will no longer be part of the One-To-Many cluster and will be
managed by making a direct connection to that Sidewinder G2.
Changes will no longer be replicated to the Sidewinder G2. To make a
direct connection to the stand-alone Sidewinder G2, you will need to
create a new Sidewinder G2 icon in the Admin Console tree branch. See
“Adding a Sidewinder G2 to the Admin Console” on page 2-4.
Removing the primary from a One-To-Many cluster
To remove the primary from a One-To-Many cluster, follow the steps
below.
Note: You must remove all of the secondaries from the One-To-Many cluster before you
can access the State Change Wizard to remove the primary.

Understanding
the One-To-Many
tree structure
Understanding the One-To-Many tree structure
1. Connect to the One-To-Many cluster using the Admin Console.
2. In the tool bar, select the icon to launch the State Change Wizard.
(You can also access the State Change Wizard by clicking on the
Sidewinder G2 icon in the Admin Console tree and then clicking State
Change Wizard.) The Welcome window appears.
3. Click Next.
4. Select Change To Standalone Firewall.
5. Click Next. The State Change Summary window displays a list of the
actions that will be performed when you click Execute.
When you are satisfied with the summary of changes, click Execute. A
progress bar will appear while the configuration changes are made. If
the transition is successful the Success window appears, displaying the
new state.
When the Sidewinder G2 is successfully removed from the One-To-
Many cluster, it will reboot automatically. When the Sidewinder G2
reboots, it will be a standalone Sidewinder G2.
The Admin Console tree structure is slightly different in a One-To-
Many cluster environment. When you configure One-To-Many, all
Sidewinder G2s are managed within a single Admin Console
connection to the primary. All secondary icons are removed from the
tree.
Areas within the primary connection that are synchronized (that is,
areas in which the information for all Sidewinder G2s must be the
same) will appear as a single tree option within the primary. When
you modify information within those areas, it will automatically be
applied to all Sidewinder G2s that are part of the One-To-Many
cluster.
Information specific to individual Sidewinder G2s within the One-To-
Many cluster that cannot be synchronized between Sidewinder G2s
(such as Configuration Backup and Audit) will include a sub-folder
within the primary that provides an icon for each Sidewinder G2 in
the One-To-Many cluster. To modify these features, select the
individual Sidewinder G2 icon and make the changes. These changes
will apply only to the Sidewinder G2 that you have selected and will
not be overwritten by the primary.
One-To-Many Clusters 15-13

Understanding the One-To-Many tree structure
Figure 15-4. Example of
an individually
configured area
15-14 One-To-Many Clusters
Important: DNS is the only exception to this structure. To configure DNS settings on a
secondary, you will need to add the secondary server icon and connect directly to that
Sidewinder G2. All other features should be configured using the primary connection to
avoid being overwritten. (For information on adding a Sidewinder G2 server icon, see
“Adding a Sidewinder G2 to the Admin Console” on page 2-4.)
Figure 15-4 below demonstrates the difference between individually
configured areas of the One-To-Many cluster (Configuration Backup
and Date and Time) and a synchronized area of the One-To-Many
cluster (Burb Configuration).
To modify individually configured information for a particular
Sidewinder G2, simply select that icon for the Sidewinder G2 and
make the desired changes. Changes to an individual Sidewinder G2
will be applied only to that Sidewinder G2 and will not be overwritten
by changes made to the other Sidewinder G2.
The following tables summarize which features are synchronized and
which features are configured individually in a One-To-Many cluster:
Features that are synchronized in a One-To-Many cluster
Policy Configuration Burb Configuration
Proxies SmartFilter
Servers (excludes sendmail
configuration files))
VPN Configuration
Scanner Alarm Configuration
Static Routing UI Access Control
Authentication
Certificate Management
Firewall Accounts
Burb Configuration is
synchronized (changes made are
sent to all Sidewinder G2s within
the One-To-Many cluster, and you
cannot select a Sidewinder G2.
Configuration Backup and Date
and Time are configured on an
individual Sidewinder G2 basis.

Understanding the One-To-Many tree structure
Features that are configured individually in a One-To-Many cluster
Servers: Sendmail only DNS a
Routing (Dynamic and
Routed)
Audit Viewing
Firewall Monitoring Reports
Configuration Backup Interface Configuration
Date and Time Firewall License
Software Management System Shutdown
Reconfigure DNS
File Editor
Reconfigure Mail
a. DNS must be configured by connecting directly to the secondary. All other
features listed in this table are configured using the primary connection. To
connect directly to the secondary, you will need to create a new Sidewinder
G2 icon for the secondary and then connect to the Sidewinder G2 using that
Sidewinder G2 icon. (This is because the icon for the secondary is removed
from the Admin Console tree branch when it is successfully added to a cluster.)
For information on adding a Sidewinder G2 to the Admin Console, see “Adding
a Sidewinder G2 to the Admin Console” on page 2-4.
One-To-Many Clusters 15-15

Understanding the One-To-Many tree structure
15-16 One-To-Many Clusters

C HAPTER 16
High Availability
About this chapter This chapter describes how to set up the optional High Availability
(HA) feature. HA allows you to configure load sharing between two
Sidewinder G2s, or configure a hot backup Sidewinder G2 in your
network. This chapter contains the following topics:
How High
Availability works
“How High Availability works” on page 16-1
“HA configuration options” on page 16-3
“Configuring HA” on page 16-6
“Managing an HA cluster” on page 16-17
High Availability requires two Sidewinder G2s that can be configured
either for load sharing (both the primary and secondary Sidewinder
G2s actively process traffic), or with one Sidewinder G2 acting as a
standby Sidewinder G2 that does not process traffic unless it is called
upon to take over for the primary in the event that the current primary
becomes unavailable. A cluster of Sidewinder G2s configured and
registered for HA are known as an HA cluster.
As shown in Figure 16-1, configuring an HA cluster requires at least
three burbs for each Sidewinder G2: an internal burb, an external
burb, and a heartbeat burb. Creating a separate heartbeat burb allows
all HA cluster traffic (including the heartbeat message as well as any
stateful session IP Filter traffic) to pass between the HA cluster
Sidewinder G2s in its own burb, and does not impact regular network
traffic. HA cluster Sidewinder G2s must reside on the same network
and can be connecting to one another using a cross-over cable.
Note: For information on configuring stateful session IP Filter rules, see “Creating IP Filter
rules” on page 7-12.
16
High Availability 16-1

16
How High Availability works
16-2 High Availability
Figure 16-1. Basic HA
configuration
aaa.aaa.aaa.1
aaa.aaa.aaa.5*
cluster common
IP address
aaa.aaa.aaa.3
*In a load sharing HA cluster,
the internal and external
cluster common IP addresses
are shared between
Sidewinder G2s. In a failover
HA cluster, they are assigned to
the primary.
To implement an HA cluster in your network, you will need one
additional “cluster common” IP address for each network. The HA
cluster will use these addresses as IP alias addresses. The table below
summarizes the IP addresses needed for this HA configuration.
internal burb external burb heartbeat burb
primary IP aaa.aaa.aaa.1 bbb.bbb.bbb.1 ccc.ccc.ccc.1
secondary/standby
IP
cluster common IP aaa.aaa.aaa.5 a
primary Sidewinder G2
internal burb external burb
heartbeat burb
ccc.ccc.ccc.1
ccc.ccc.ccc.5
cluster common
IP address
ccc.ccc.ccc.3
secondary/standby
Sidewinder G2
bbb.bbb.bbb.1
bbb.bbb.bbb.5*
cluster common
IP address
bbb.bbb.bbb.3
Internet
aaa.aaa.aaa.3 bbb.bbb.bbb.3 ccc.ccc.ccc.3
bbb.bbb.bbb.5 a ccc.ccc.ccc.5
a. In a load sharing HA cluster, the internal and external cluster common IP
addresses are shared between Sidewinder G2s. In a failover HA cluster, they
are assigned to the primary.

HA configuration
options
HA configuration options
In this example, all users in the internal or external network must use
the cluster address (aaa.aaa.aaa.5 or bbb.bbb.bbb.5, respectively).
Only system administrators should know about the other IP addresses.
The same concept applies for DNS names.
Tip: When configuring an existing single Sidewinder G2 configuration to become an HA
cluster, consider using the existing interface addresses as the cluster addresses and getting
new IP addresses for the actual NICs. This lessens the impact on your users, who will not
have to change their perception of the "Sidewinder G2" address.
You can configure HA to perform load sharing (with both Sidewinder
G2s actively processing traffic) or failover (with one Sidewinder G2
processing traffic and the other Sidewinder G2 standing by as a hot
backup). The following sections discuss each HA configuration
option.
Load sharing HA
Load sharing HA consists of two Sidewinder G2s that actively process
traffic in a load sharing capacity. When a secondary is registered to an
HA cluster, synchronized areas will be overwritten by the HA cluster
configuration to match the primary. (To determine which areas are
synchronized, see “Managing an HA cluster” on page 16-17.) Each
Sidewinder G2 maintains its own private (individual) address, the
cluster common address for each interface (excluding the heartbeat
interface), and any other alias addresses. The Sidewinder G2s are then
able to coordinate traffic processing on a single shared IP address
using a multicast Ethernet address to ensure that each connection
(and the packets associated with that connection) is handled by the
same Sidewinder G2. To configure load sharing HA, both Sidewinder
G2s must have the same hardware configuration (e.g., CPU speed,
memory, active NICs).
In a load sharing HA configuration, the primary is assigned the cluster
address for the heartbeat burb as an alias, allowing it to communicate
with the secondary. When the secondary or standby is brought online,
it activates its interface IP addresses. The primary will then begin to
"multicast" a heartbeat message. The heartbeat uses IPSec
authentication (AH) to ensure that the messages are correct. The
secondary “listens” for this heartbeat and sends an acknowledgement
to the primary. If one of the Sidewinder G2s become unavailable (that
is, a heartbeat message or acknowledgement is not received by a
Sidewinder G2 for the specified amount of time), the remaining
Sidewinder G2 takes over and assumes responsibility for processing
all traffic.
High Availability 16-3

HA configuration options
16-4 High Availability
If one of the Sidewinder G2s unexpectedly becomes unavailable and
the remaining Sidewinder G2 takes over processing all traffic, any
active proxy sessions and non-stateful IP filter sessions that were
assigned to the unavailable Sidewinder G2 will be lost. IP Filter
sessions that are configured for stateful session failover will not be
lost.
If you know in advance that a Sidewinder G2 will need to be shut
down, you can reduce the number of lost connections by scheduling
the shutdown (rather than shutting down immediately). When a
shutdown is scheduled for a later time, a soft shutdown will be
performed to reduce the number of sessions that are lost. For
information on soft shutdown, see “Scheduling a soft shutdown for an
HA cluster Sidewinder G2” on page 16-27.
Certain connections in a load sharing HA cluster will be assigned to
the primary. For example, connections that are used for Sidewinder
G2 management purposes (Admin Console, telnet, SSH) that are
addressed to the shared cluster address will be assigned to the
primary. In the event that the primary becomes unavailable, new
connections will be assigned to the new primary, and existing
connections will remain in tact. SNMP connections that are addressed
to the shared address will also be assigned to the primary.
Connections that are specifically addressed to an individual
Sidewinder G2 address, will be assigned to the specified Sidewinder
G2.
Failover HA
Failover HA consists of one Sidewinder G2 (the primary) actively
processing traffic with the standby acting as a hot backup. When a
standby Sidewinder G2 is registered to an HA cluster, synchronized
areas will be overwritten by the HA cluster configuration. (To
determine which areas are synchronized, see “Managing an HA
cluster” on page 16-17.) Once registered, the standby monitors the
primary through an Ethernet-based "heartbeat" mechanism that
functions between Sidewinder G2s. If the standby determines that the
primary is unavailable, the standby takes over and assumes the role of
the primary. When a standby takes over networking functions, any
active proxy sessions through the primary are lost. IP Filter sessions
that are configured for stateful session failover will not be lost.

You can configure failover HA in one of two ways:
HA configuration options
primary-standby—In a primary-standby configuration, if the primary
becomes unavailable, the standby takes over as the acting primary
only until the primary becomes available again. (This option is
generally used if you have Sidewinder G2s that do not share the
same hardware configuration.)
peer-to-peer— In a peer-to-peer configuration, both Sidewinder
G2s are configured as standbys with the same takeover time
setting. This allows whichever Sidewinder G2 boots up first to act
as the primary. If the primary becomes unavailable, the peer
Sidewinder G2 (acting as the standby) will take over as the
primary and will remain as the acting primary until it becomes
unavailable, at which time the peer will again take over as the
acting primary. This is the recommended failover HA
configuration. However, to configure peer-to-peer HA, both
Sidewinder G2s must have similar hardware configurations.
When the primary is brought online, it activates both the cluster and
interface IP addresses. (Remember, you must inform all users that the
cluster address is the Sidewinder G2 address, so all traffic still passes
through the primary.) When the secondary or standby is brought
online, it activates its interface IP addresses. The primary will then
begin to "multicast" a heartbeat message. The heartbeat uses IPSec
authentication (AH) to ensure that the messages are correct. The
secondary or standby "listens" for this heartbeat.
Suppose the primary is accidentally powered off for a period of time.
When the standby does not receive a heartbeat signal for a number of
seconds (based on the takeover setting of the standby), it sets the
cluster common IP addresses on its interfaces. In the process, the
standby clears its address resolution protocol (ARP) cache and
attempts to generate a "gratuitous ARP." Most systems will immediately
determine that the standby is now responsible for the addresses by
which the primary is known, and new connections will be established
through the new acting primary.
Note: Unfortunately, there may be a number of reasons why the gratuitous ARP is not
received: a remote system may not recognize the message, the message may be blocked by
certain switches, it may fail due to timing issues, etc. Often this can be resolved by flushing
the ARP caches in the remote system. Many of these remote systems have ways to shorten
the time that entries stay in the ARP cache; these should be set to time periods in the three
to five minute range.
High Availability 16-5

Configuring HA
16-6 High Availability
If you configured a primary-standby configuration, when the
Sidewinder G2 that is configured as the primary is powered on or
reactivated, it will begin sending a heartbeat message. When the
standby (temporarily acting as the primary) receives the heartbeat
message, it immediately drops the cluster common IP addresses so the
primary can again assume responsibility. Established connections
through the standby will continue to run for a period of time, but
eventually all traffic will again pass through the primary. (In a peer-topeer
configuration, the Sidewinder G2 that takes over as the acting
primary will remain as the primary until it becomes unavailable.)
Note: When a takeover event occurs, there can be a number of netprobe events detected
when connections take time to detect the switch of systems.
Configuring HA This section provides the basic information you need to configure an
HA cluster. Before you begin, sketch a diagram showing your planned
configuration (similar to the diagram in Figure 16-1) for reference.
Include the following items on your diagram:
interfaces
IP addresses
HA cluster common IP addresses
burb names
Before you configure HA, the following conditions must be met:
Both Sidewinder G2s must be at the same version.
A dedicated heartbeat burb and interface must be configured on
each Sidewinder G2.
Note: For load sharing HA, the interface used for the heartbeat burb must be at
least as fast as the fastest load sharing interfaces on your Sidewinder G2. For
information on configuring the heartbeat burb, see “Configuring the heartbeat
burbs” on page 16-7.
The following areas must be configured identically on both
Sidewinder G2s before you configure HA:
— number and types of interfaces
— number of burbs
— burb names (burb names are case-sensitive)
— burb indices
— user-defined proxies

Configuring HA
— DNS configuration (For example, if the primary is configured
to use transparent DNS, the secondary must also be
configured to use transparent DNS. If the DNS configuration
types are not the same, DNS will not work on the secondary
once HA is configured.)
Note: All other configuration information will be overwritten on the
secondary/standby when HA is configured.
Configuring the heartbeat burbs
You must configure a dedicated heartbeat burb and interface on each
Sidewinder G2 before configuring an HA cluster. Follow the steps
below for each Sidewinder G2.
1. Ensure that the Sidewinder G2 has an interface that can be dedicated to
HA traffic.
Note: For load sharing, the interface used for the heartbeat burb must be at least as
fast as the fastest load sharing interfaces on your Sidewinder G2.
2. In the Admin Console, connect to the Sidewinder G2 and create a
heartbeat burb (select Firewall Administration -> Burb Configuration).
For troubleshooting purposes, select the Respond to ICMP echo and
timestamp check box.
Note: See “Modifying the burb configuration” on page 3-48 for detailed information
on creating a new burb.
3. Click the Save icon in the toolbar.
4. Go to Firewall Administration -> Interface Configuration and assign the
heartbeat burb and IP address to the appropriate interface. (Be sure to
enable the interface.)
Note: See “Modifying the interface configuration” on page 3-50 for detailed
information on configuring a new interface.
5. Click the Save icon in the toolbar. (You do not need to reboot at this
time.)
6. Repeat these steps for each Sidewinder G2 that will be participating in
the HA cluster.
Important: When you have configured a heartbeat burb and interface for each
Sidewinder G2, be sure to test the network connectivity between the two Sidewinder
G2s for the heartbeat interface. Network connectivity must exist between the
Sidewinder G2s on this burb to successfully configure HA.
High Availability 16-7

Configuring HA
16-8 High Availability
Configuring Sidewinder G2 for HA
Once you have configured a heartbeat burb for each Sidewinder G2
and have verified network connectivity between the Sidewinder G2s
on the heartbeat interface, you can configure the Sidewinder G2s for
HA. Follow the steps below.
Important: It is recommended that you perform a system backup before configuring
HA. See “Backing up system files” on page A-4 for details.
Configuring the first Sidewinder G2 in a new HA cluster
To configure the first Sidewinder G2 in a new HA cluster, follow the
steps below.
1. Connect to the Sidewinder G2 that will become the primary using the
Admin Console.
Note: If you are planning to configure a load sharing or peer-to-peer HA cluster, it
does not matter which Sidewinder G2 you configure first.
2. Configure all functions and features other than HA.
3. Verify that you have a dedicated heartbeat burb and interface
configured for HA on this Sidewinder G2. See “Configuring the
heartbeat burbs” on page 16-7 for instructions.
4. In the tool bar, click to launch the State Change Wizard. (You can
also access the State Change Wizard by clicking on the Sidewinder G2
icon in the Admin Console tree and then clicking State Change Wizard.)
The Welcome window appears. Read the Welcome window and then
click Next.
5. Select Not Enterprise Managed and then click Next.
6. Select HA Cluster and then click Next.
7. Select Create New Cluster and then click Next.

Configuring HA
8. Select the HA configuration that you want to create, and then click Next.
Peer-To-Peer HA—Both Sidewinder G2s are configured as standbys
with the same takeover time setting. Whichever Sidewinder G2
boots up first will act as the primary. If the primary becomes
unavailable, the peer (acting as the standby) will take over as the
primary and will remain as the acting primary until it becomes
unavailable, at which time the peer will again take over as the
acting primary. This is the recommended failover HA configuration.
Load-Sharing HA—Load sharing HA consists of two Sidewinder
G2s that actively process traffic in a load sharing capacity. For more
information on load sharing HA, see “Load sharing HA” on page 16-
3.
Primary-Standby HA—If the primary becomes unavailable, the
standby takes over as the acting primary only until the primary
becomes available again. (This option is generally used if you have
Sidewinder G2s that do not share the same hardware
configuration.) For more information on primary-standby HA, see
“Failover HA” on page 16-4.
Note: To configure peer-to-peer HA or load sharing HA, both Sidewinder G2s
must have the same hardware configuration.
9. [Conditional] In the High Availability Takeover Time window, specify the
number of seconds that the primary must be unavailable before the
secondary/standby will begin the takeover process. The default value is
13 seconds.
Note: This window does not appear if you selected the primary-secondary HA
option. For primary-secondary HA, the takeover time is 3 seconds for the primary and
13 seconds for the secondary by default and cannot be modified in the State Change
Wizard.
Click Next. The High Availability Cluster Common Addresses window
appears.
10. The High Availability Cluster Common Addresses window allows you to
configure the cluster common addresses for the interfaces in your HA
cluster. It also allows you to specify the heartbeat burb, which is
responsible for sending and receiving heartbeats. Do the following, and
then click Next:
a. Select the interface row that you want to configure, and click
Configure. The High Availability Aliases window appears.
b. In the Cluster Common IP Address field, type the common IP address
for the interface that will be shared between Sidewinder G2s within
the HA cluster.
High Availability 16-9

Configuring HA
16-10 High Availability
Note: The cluster address is the address most systems should use to
communicate with or through the Sidewinder G2, meaning that DNS, default
routes, etc. need to be aware of this address.
c. Click OK.
d. Repeat step a through step c for each interface that will use HA.
e. In the Heartbeat Burb drop-down list, select the burb that HA will
use to send or receive heartbeats. (A heartbeat is a short message
that is sent out at specific intervals to verify whether a Sidewinder
G2 is operational.) This must be a dedicated burb.
f. [Optional] If you want to skip the advanced configuration windows
and use the default values, select the Use default advanced High
Availability properties and skip advanced screens check box.
If you select this check box, the following configuration options will
be made automatically:
IPSec authentication password and authentication type will be
automatically selected.
HA identification cluster ID and multicast address will be
automatically assigned.
Remote test configuration options will not be configured.
If you want to modify or configure any of these properties, deselect
the Use default advanced High Availability properties and skip
advanced screens check box and click Next to access the Advanced
General Properties and Advanced Network Properties windows.
11. [Conditional] The High Availability Advanced General Properties
window allows you to configure IPSec Authentication values and High
Availability identification values. Modify any of the following values:
Note: This window does not appear if you selected the Use default advanced High
Availability properties and skip advanced screens check box in the High
Availability Cluster Common Addresses window.
High Availability Password—Type the password that will be used
to generate the authentication key for IPSec. This password must
be the same for both Sidewinder G2s because they share the same
virtual firewall ID.
Authentication Type—Select one of the following:
— SHA1: Select this option if using HMAC-SHA1 authentication.
— MD5: Select this option if using HMAC-MD5 authentication.

Configuring HA
Cluster ID—Select an ID that will be assigned to the HA cluster.
This allows you to distinguish between and manage multiple HA
clusters, if needed. Each Sidewinder G2 with an HA cluster must be
assigned the same cluster ID. Valid values are 1–255.
Multicast Address—This field displays the address of the multicast
group used for HA purposes in the heartbeat burb. The default
address is 239.192.0.1. To modify the address, click Edit Address.
When you have finished configuring this window, click Next.
12. [Conditional] The High Availability Advanced Network Properties
window allows you to configure interface testing and force ARP reset
properties. To configure interface testing and/or ARP reset properties,
do the following and then click Next.
Note: For more information on interface testing with HA, see “Interface
configuration issues with HA” on page F-34.
Note: This window does not appear if you selected the Use default advanced High
Availability properties and skip advanced screens check box in the High
Availability Cluster Common Addresses window.
a. In the Interface Test area, configure any remote test IP addresses for
networks that you want to periodically ping, as follows:
Highlight the network row that you want to modify, and click
Modify. The Remote Test window appears.
In the Remote Test IP field, enter the IP address that the
Sidewinder G2 will periodically ping. The remote address must be
a highly reliable system that is directly attached to the Sidewinder
G2 network. For example, if you use a VRRP (Virtual Router
Redundancy Protocol) cluster, you can specify the VRRP address of
the router as your remote ping address. (However, some VRRP
routing clusters will only respond to pings if the configured
primary router is currently acting as the primary. If you are using
this type of VRRP routing cluster, you should use an alternative
remote address.)
For load sharing HA, if remote ping fails on one of the two cluster
members, that member will become unavailable until the remote
interface is again detected. If there is only one active cluster
member and a remote ping failure is detected, that member will
audit the failure and remain in the cluster until another member
joins the cluster (without a ping failure), or until the remote
system is detected.
Note: If you specify 255.255.255.255 in this field, HA will only test the status of the
interface rather than send data to verify that the interface is up.
Click OK to return to the High Availability Advanced Network
Properties window.
High Availability 16-11

Configuring HA
16-12 High Availability
b. In the Ping the Remote Test IP field, specify how often (in seconds)
the HA cluster will ping the remote address to ensure that an
interface and path are operational.
c. In the Consecutive ping failures before takeover field, specify the
number of failed ping attempts that must occur before a secondary/
standby takes over as the primary.
If the primary becomes unavailable immediately after a ping
attempt has been issued, the time it takes for a secondary/standby
to take over will be slightly longer (this is because it will take close to
an entire test interval before the first failure is detected).
d. [Conditional] The Force ARP Reset area lists the IP address and burb
of each system that you determine needs to update its ARP cache
with the new cluster alias IP. Use this area to list all systems that are
known to ignore gratuitous ARPs, but that need to know the new
cluster alias.
Note: This area is not available if you are configuring Load Sharing HA.
To define a system to be included in the Force ARP Reset list, click
New. The Force ARP Reset window appears. Enter the IP Address and
select the burb for the system, and then click OK.
To modify an entry, highlight the appropriate entry and click Modify.
To delete an IP address from the list, highlight the address and click
Delete.
13. The State Change Summary window displays a list of the actions that
will be performed when you click Execute.
Important: The Sidewinder G2 will be automatically rebooted after the transition
process is complete. Carefully review the changes before you click Execute, as
changes you make after initially executing the state change will require an additional
reboot.
If you want to make changes to your configuration before executing,
click Back to navigate to the appropriate window(s) and make the
necessary changes.
When you are satisfied with the summary of changes, click Execute. A
progress bar will appear while the configuration changes are made. If
the transition is successful the Success window appears, displaying the
new state, and the Sidewinder G2 will automatically reboot. Click Finish.
To add an additional cluster member, see “Joining a Sidewinder G2 to an
existing HA cluster” on page 16-13.

Joining a Sidewinder G2 to an existing HA cluster
Configuring HA
Joining a Sidewinder G2 to an existing HA cluster, requires two steps:
Add a placeholder in the HA cluster for that Sidewinder G2 in the
High Availability Common Parameters window. See “Adding a
placeholder in the HA cluster” on page 16-13.
Join the Sidewinder G2 to the HA cluster using the State Change
Wizard. See “Joining a Sidewinder G2 to an existing HA cluster” on
page 16-14.
Note: You must have a dedicated heartbeat burb configured on each Sidewinder G2 that
you register to an HA cluster. See “Configuring the heartbeat burbs” on page 16-7 for
instructions.
Adding a placeholder in the HA cluster
Adding a Sidewinder G2 to an HA cluster creates a placeholder for
that Sidewinder G2 within that HA cluster. Once you have added the
Sidewinder G2 to the HA cluster, you will need to join the Sidewinder
G2 to the HA cluster using the State Change Wizard.
To add a placeholder for the new Sidewinder G2 in the existing HA
cluster, do the following:
1. Connect to the HA cluster using the Admin Console, and select High
Availability in the Admin Console tree. The High Availability Common
Parameters tab appears.
2. In the Pair Members area, click New. The Add New Firewall window
appears.
3. In the Name field, enter the name of the Sidewinder G2 you are adding
the HA cluster.
4. [Conditional] If you selected the Primary/Standby HA mode, in the
Takeover Time field, select the number of seconds that the primary
must be unavailable before the secondary/standby will begin the
takeover process. The default value is 13 seconds.
Note: This field does not appear if you selected peer-to-peer HA or load-sharing HA.
5. In the IP Address in Heartbeat Burb field, enter the individual IP address
(in the heartbeat burb) of the Sidewinder G2 that you are adding to the
HA cluster.
High Availability 16-13

Configuring HA
16-14 High Availability
6. In the Registration Key field, create the registration key for this HA
cluster. The key must be at least one character long and may consist of
alphanumeric characters, hyphens (-), and underscores (_).
Important: You will need the registration key when you join the Sidewinder G2 to
the HA cluster using the State Change Wizard.
7. Click Add to add the Sidewinder G2 to the HA cluster. You can now join
the Sidewinder G2 to the HA cluster using the State Change Wizard. See
“Joining a Sidewinder G2 to an existing HA cluster” on page 16-14.
Joining a Sidewinder G2 to an existing HA cluster
To join a Sidewinder G2 to an existing HA cluster, follow the steps
below.
Note: You must add a placeholder for the Sidewinder G2 in the HA cluster before you will
be able to join the HA cluster. See “Adding a placeholder in the HA cluster” on page 16-13.
1. Connect to the Sidewinder G2 that will be joining the HA cluster using
the Admin Console.
2. In the tool bar, click to launch the State Change Wizard. (You can
also access the State Change Wizard by clicking on the Sidewinder G2
icon in the Admin Console tree and then clicking State Change Wizard.)
The Welcome window appears.
3. Click Next.
4. Select Not Enterprise Managed and click Next.
5. Select HA Cluster and click Next.
6. Select Join Existing HA Cluster and click Next.
7. In the Gathering information to join cluster window, configure the
following fields:
Partner’s Heartbeat Burb IP Address—Enter the heartbeat IP
address of the HA partner.
Important: This is the actual heartbeat IP address for the HA partner, not the
cluster common heartbeat IP address.
Cluster Member Name—Enter the name of the Sidewinder G2 that
you are joining to the HA cluster (the name you entered when you
added this Sidewinder G2 to the HA cluster).
Registration Key—Enter the registration key for the HA cluster (the
key that you created when you added this Sidewinder G2 to the
HA cluster in step 6 on page 16-14).

Configuring HA
8. Click Next. The State Change Summary window displays a list of the
actions that will be performed when you click Execute.
Important: The Sidewinder G2 will be rebooted after the transition process is
complete. Carefully review the changes before you click Execute, as changes you
make after initially executing the state change will require an additional reboot.
If you want to make changes to your configuration before executing,
click Back to navigate to the appropriate window(s) and make the
necessary changes.
When you are satisfied with the summary of changes, click Execute. A
progress bar will appear while the configuration changes are made. If
the transition is successful the Success window appears, displaying the
new state.
When the Sidewinder G2 is successfully joined to the HA cluster, it will
reboot automatically. When the Sidewinder G2 reboots, it will be
synchronized with the primary, and the HA cluster will appear in the
Admin Console tree as a single Sidewinder G2 icon. See “Managing an
HA cluster” on page 16-17 for information on managing your HA cluster.
Enabling and disabling load sharing for an HA cluster
If you have an HA cluster configured and want to enable or disable
load sharing, follow the steps below.
Note: For more information on load sharing HA, see “Load sharing HA” on page 16-3.
1. In the Admin Console, connect to the HA cluster and select
High Availability.
2. Click on the plus sign (+)in front of the High Availability branch to
display the individual icons for each Sidewinder G2 that is part of the HA
cluster.
3. Select the primary icon. The Local Parameters tab appears.
To determine which Sidewinder G2 is the primary, select High
Availability, and then select the Common Parameters tab and click
Cluster Status.
High Availability 16-15

Configuring HA
Removing a secondary/
standby from an HA cluster
16-16 High Availability
4. In the Cluster Mode area, enable or disable load sharing by selecting the
appropriate cluster mode as follows:
Designate as part of a Load Sharing High Availability Cluster—
Select this option if you want to enable load sharing for the HA
cluster (both Sidewinder G2s actively process traffic).
Designate as part of a Primary/Standby High Availability Cluster—
Select this option if you want to disable load sharing HA and
convert the HA cluster to a failover HA cluster (only one
Sidewinder G2 processes traffic, with the other Sidewinder G2
acting as a hot backup).
5. Click the Save icon in the toolbar.
6. Wait 60 seconds to allow the Sidewinder G2s to synchronize, and then
reboot each Sidewinder G2 that is part of the HA cluster. It is important
that the second Sidewinder G2 be rebooted before the primary is
finished rebooting.
Important: If you do not begin the reboot process for the second Sidewinder G2
before the primary finishes rebooting, it will detect that the second Sidewinder G2 is
configured for a different cluster mode, and the HA cluster will not function properly.
If this happens, you will need to reboot each Sidewinder G2 to synchronize the HA
cluster.
Removing a Sidewinder G2 from an HA cluster
To remove a secondary/standby from an HA cluster, follow the steps
below.
1. Connect to the HA cluster and select High Availability in the Admin
Console tree. The Common Parameters window appears.
2. In the Pair Members table, highlight the secondary/standby and then
click Delete.
When the Sidewinder G2 is removed from the HA cluster, it will
automatically reboot and become a functioning stand-alone
Sidewinder G2.

Removing the primary from
an HA cluster
Managing an HA
cluster
Managing an HA cluster
You must remove the secondary/standby from the HA cluster before
you can remove the primary from the HA cluster. Once you have
removed the secondary/standby from an HA cluster, follow the steps
below to remove the primary from the HA cluster:
1. Connect to the HA cluster.
2. Access the State Change Wizard by selecting the Sidewinder G2 icon in
the Admin Console tree and then clicking State Change Wizard. The
Welcome window appears.
3. Click Next.
4. Select Change To Standalone State, and then click Next.
5. The State Change Summary window appears listing the actions that will
be performed when you click Execute. To remove the primary from the
HA cluster and return it to the standalone state, click Execute. The
Sidewinder G2 will automatically reboot. Once the Sidewinder G2 is
rebooted, it will become a functioning standalone Sidewinder G2.
Important: Once the Sidewinder G2 has finished rebooting, the IP address in the
Admin Console Connection window will still display the cluster common IP address.
Before connecting to the standalone Sidewinder G2, you will need to manually
change the IP address back to the Sidewinder G2’s individual address.
Note: To cancel the wizard without making any changes, click Cancel.
Once you have configured an HA cluster, the HA cluster will be
represented in the Admin Console tree by a single Sidewinder G2
icon. When you connect to the HA cluster, you will use the HA cluster
common IP address that you created when you configured HA. This
allows you to manage both Sidewinder G2s by connecting to the HA
cluster.
Important: If you connect directly to a single Sidewinder G2 outside of the HA cluster,
changes you make to synchronized areas for that Sidewinder G2 will be overwritten by the
HA cluster configuration. For information on when and how to connect directly to a single
Sidewinder G2 that is part of an HA cluster, see “Connecting directly to a secondary/
standby” on page 16-29.
Caution: If you modify your hardware interface configuration, HA will not function until
the Sidewinder G2 is rebooted.
High Availability 16-17

Managing an HA cluster
Figure 16-2. Example of
an individually
configured area
16-18 High Availability
Understanding the HA cluster tree structure
The Admin Console tree structure is slightly different for an HA
cluster. As explained above, when you configure an HA cluster, both
Sidewinder G2s are managed within a single Admin Console
connection.
Areas of the HA cluster that are synchronized (that is, areas in which
the information for both Sidewinder G2s must be the same and
remains in synch via the synchronization server) will appear with a
single tree option. When you modify information within those areas,
the information will automatically be updated for both Sidewinder
G2s.
Information specific to individual Sidewinder G2s within the HA
cluster (such as configuration backup and restore) will include a subfolder
(indicated by a plus [+] sign) that contains an icon for each
Sidewinder G2 that is part of the HA cluster. To modify information
within these areas, expand the tree branch, select the appropriate
Sidewinder G2, and make the desired changes. Non-synchronized
modifications to an individual Sidewinder G2 will be applied only to
that Sidewinder G2 and will not be overwritten by changes made to
the other Sidewinder G2.
Figure 16-2 below demonstrates the difference between an
individually configured area of the HA cluster (Reports) and a
synchronized area of the HA cluster (Burb Configuration).
Reporting is configured on an
individual Sidewinder G2 basis.
Burb Configuration is
synchronized, and does not allow
you to select a Sidewinder G2.
The High Availability and Interface Configuration areas within the HA
cluster tree include some areas that are synchronized and some areas
are configured on an individual Sidewinder G2 basis, as shown in
Figure 16-3 below.

Figure 16-3. Special HA
and Interface
Configuration options
Managing an HA cluster
The following lists summarize the features that are synchronized and
the features that are configured individually in an HA cluster.
Features that are synchronized within an HA cluster
Synchronized HA information is configured by
selecting the main HA option.
HA information specific to a single Sidewinder
G2 is configured by selecting a Sidewinder G2.
Synchronized information is configured by
selecting the main Interface Config. option.
Interface information specific to a single
Sidewinder G2 is configured by selecting a
Policy Configuration Certificate Management
Proxies SmartFilter
Servers a
Alarm Configuration
DNS a UI Access Control
Scanner High Availability (Common Parameters)
Routing Firewall Accounts
Authentication Burb Configuration
VPN Interface Alias IP addresses
a. If your Sidewinder G2s are configured for secure split SMTP mail servers or
hosted DNS, those areas must be managed for the secondary/standby by connecting
directly to that Sidewinder G2. All other features listed in this table are
configured using the HA cluster connection. To connect directly to the secondary/standby,
you will need to add a new Sidewinder G2 to the Admin Console
using the Sidewinder G2’s actual IP address, and then connect to the
Sidewinder G2 directly. (This is because the secondary/standby is removed
from the Admin Console tree branch when it is successfully added to the HA
cluster.) For information on adding a Sidewinder G2 to the Admin Console, see
“Connecting directly to a secondary/standby” on page 16-29.
High Availability 16-19

Managing an HA cluster
Figure 16-1. Common
Parameters tab
16-20 High Availability
Features that are configured individually within an HA cluster
Firewall Monitoring Reports
High Availability (Local
Parameters)
Configuration Backup
Interface Configuration Date and Time
Firewall License Software Management
System Shutdown Tools
Audit File Editor
Modifying HA common parameters
The Common Parameters tab allows you to configure properties that
are common to the HA cluster. To configure common HA parameters,
connect to the HA cluster using the Admin Console and select High
Availability. The following window appears:

About the Common
Parameters tab
Managing an HA cluster
The Common Parameters tab specifies the parameters that will affect
all Sidewinder G2s in your HA configuration. Follow the steps below.
1. In the High Availability Identification area, do the following:
a. In the Cluster ID field, select an ID that is assigned to the HA cluster.
This allows you to distinguish between and manage multiple HA
clusters, if needed. Each Sidewinder G2 with an HA cluster must be
assigned the same cluster ID. Valid values are 1–255.
b. The Multicast Group Address field displays the address of the
multicast group used for HA purposes on the heartbeat burb. The
default address is 239.192.0.1. To modify the address, click Edit
address. See “Changing the multicast address” on page 16-23 for
details on modifying the multicast group address.
c. In the Heartbeat Burb drop-down list, select the burb that HA will
use to send or receive a heartbeat. (A heartbeat is a short message
that is sent out at specific intervals to verify whether a Sidewinder
G2 is operational.) This must be a dedicated heartbeat burb. For
information on configuring a dedicated heartbeat burb, see
“Configuring the heartbeat burbs” on page 16-7.
2. In the IPSec Authentication area, do the following:
a. In the Authentication Type field, select the type of IPSec
authentication to use for HA:
—SHA1: Select this option if using HMAC-SHA1 authentication.
—MD5: Select this option if using HMAC-MD5 authentication
b. In the Password field, type the password that will be used to
generate the authentication key for IPSec. This password must be
the same for both Sidewinder G2s because they share the same
virtual firewall ID.
3. [Conditional] The Pair Members table lists the Sidewinder G2s that have
been added to the HA cluster. To add a Sidewinder G2 to the Pair
Members table, see “Adding a placeholder in the HA cluster” on page
16-13. To view the status of the cluster, click Cluster Status. A pop-up
window will appear displaying the status of each Sidewinder G2. To
close the status information window, click Close.
This table is not available until you successfully promote a primary.
Once the primary has been promoted, you can add a second
Sidewinder G2 to the HA cluster. However, you must join the second
Sidewinder G2 before it will become functional within the HA cluster.
See “Joining a Sidewinder G2 to an existing HA cluster” on page 16-14
for information on registering a Sidewinder G2 to an HA cluster.
High Availability 16-21

Managing an HA cluster
16-22 High Availability
4. [Conditional] To define a system that requires ARP cache updates, in the
Force ARP Reset area, click New and see “Configuring an entry in the
Force ARP Reset area” on page 16-23. (This option is not used for load
sharing HA.)
The Force ARP Reset area lists the IP address and burb of each system
that you determine needs to update its ARP cache with the new cluster
alias IP. Use this area to list all systems that are known to ignore
gratuitous ARPs, but that need to know the new cluster alias. (To delete
an IP address from the list, highlight the address and click Delete.)
5. In the Interface Test area, do the following:
a. In the Time Between Tests field, specify how often (in seconds) the
HA cluster will ping the remote address to ensure that an interface
and path are operational.
b. In the Consecutive Failures field, specify the number of failed ping
attempts that must occur before a secondary/standby takes over as
the primary.
Note: If the primary becomes unavailable immediately after a ping attempt has
been issued, the time it takes for a secondary/standby to take over will be slightly
longer (this is because it will take close to an entire test interval before the first failure
is detected).
6. The Interfaces table identifies the burb, HA cluster address, network
address, remote test IP address, and cluster MAC address for each
interface.
Note: The Cluster MAC column is a read-only column that displays the MAC
address for each cluster interface that is defined. Depending on the type of router you
are using, this address may be required to configure the router if you have load
sharing HA configured. The Cluster MAC is used for all shared cluster addresses and
aliases on that interface.
You must define a shared address for each interface being backed up
via HA. To define a new interface, click New. To modify an HA cluster IP
address, highlight the interface you want to modify, and click Modify.
See “Configuring an entry in the Interfaces table” on page 16-24 for
details. To delete an interface, highlight the interface and click Delete.
Important: If multiple IP addresses are desired on a single NIC and HA is
configured on the Sidewinder G2, only the HA cluster IP address is defined here. All
non-HA alias IP addresses are defined in the Interface Configuration window.
7. When you are finished configuring the HA parameters for this
Sidewinder G2, click the Save icon to save your changes.
Important: You must reboot before your changes will take effect.

Changing the multicast address
Managing an HA cluster
The Edit Multicast Group window allows you to specify different
multicast addresses for an HA cluster. Do not specify an address that
conflicts with other multicast groups on the heartbeat burb. Addresses
in the range of 239.192.0.0 to 239.251.255.255 have been reserved by
RFC 2365 for locally administered multicast addresses. Boundary
routers should be configured to not pass your selected address if such
a feature exists.
To restore the default address (239.192.0.1), click Restore Default.
Important: If the default is not used, you should change the reverse lookup files in DNS
to allow DNS reverse resolution of the multicast address. Refer to the
/etc/namedb.u/failover.rev file.
Configuring an entry in the Force ARP Reset area
The Force ARP Reset window allows you to specify the IP address
and its associated burb for each system that would ignore the
gratuitous ARP containing the new cluster alias. To add this
information, follow the steps below.
Note: The Force ARP Reset area is not used for load sharing HA.
1. In the IP Address field, enter the system’s IP address.
2. In the Burb field, select the burb that connects to that system’s network.
3. Click OK to save the information, or click Close to close the window
without saving your changes.
High Availability 16-23

Managing an HA cluster
16-24 High Availability
Configuring an entry in the Interfaces table
The Cluster IP window allows you to specify the cluster common IP
address for your interfaces. You will need to configure a cluster IP
address for each interface that uses HA. Follow the steps below.
Note: Be sure to add the cluster IP address and the associated domain name to your DNS
service.
1. In the Burb drop-down list, select the appropriate burb.
Note: The Network Address field displays the local IP address for this Sidewinder
G2.
2. In the Cluster IP Address field, type the cluster IP address for the
interface that is shared between the primary and secondaries when
they become active.
The cluster address is the address most systems should use to
communicate with or through the Sidewinder G2, meaning that DNS,
default routes, etc. need to know this address.
3. [Optional] In the Remote Test IP field, specify the address that the
Sidewinder G2 will periodically ping.
The remote address must be a highly reliable system that is directly
attached to the Sidewinder G2 network. For example, if you use a VRRP
(Virtual Router Redundancy Protocol) cluster, you can specify the VRRP
address of the router as your remote ping address. (However, some
VRRP routing clusters will only respond to pings if the configured
primary router is currently acting as the primary. If you are using this
type of VRRP routing cluster, you should use an alternative remote
address.)
For load sharing HA, if remote ping fails on one of the two cluster
members, that member will become unavailable until the remote
interface is again detected. If there is only one active cluster member
and a remote ping failure is detected, that member will audit the failure
and remain in the cluster until another member joins the cluster
(without a ping failure), or until the remote system is detected.
Note: If you specify 255.255.255.255 in this field, HA will only test the status of the
interface rather than send data to verify that the interface is up.
4. Click OK to save the cluster address information and return to the Local
Parameters tab. (To exit the window without saving your changes, click
Cancel.)

Figure 16-2. Local
Parameters tab
About the Local Parameters
tab
Modifying HA local parameters
Managing an HA cluster
To configure local HA parameters, connect to the Sidewinder G2
using the Admin Console and select Firewall Administration -> High
Availability. (If you have already configured HA, the High Availability
option will appear directly beneath the Sidewinder G2 icon.) Select
the Local Parameters tab. The following window appears:
The Local Parameters tab specifies the parameters that are unique to a
particular Sidewinder G2 in your HA configuration. Follow the steps
below.
1. In the Cluster Mode area, select one of the following options:
Designate as part of a Load Sharing High Availability Cluster—
Select this option if you want to configure load sharing HA (both
Sidewinder G2s actively process traffic).
Designate as part of a Primary/Standby High Availability Cluster—
Select this option if you want to configure failover HA (only one
Sidewinder G2 processes traffic, with the other Sidewinder G2
acting as a hot backup).
Note: To configure load sharing HA or peer-to-peer failover HA, the
Sidewinder G2s must have the same hardware configuration. For more
information on each HA configuration option, see “HA configuration options”
on page 16-3.
High Availability 16-25

Managing an HA cluster
16-26 High Availability
2. [Conditional] If you selected Primary-Standby in the previous step,
select one of the following options in the Cluster Mode area:
Primary—Select this option if this will be the primary in your
network. (This option is only used for the dedicated primarystandby
HA configuration.)
Standby—Select this option if this Sidewinder G2 is a standby in
your network, or if you are configuring peer-to-peer HA.
Note: For peer-to-peer HA, you must configure EACH Sidewinder G2 as a
standby.
3. In the Control field, select Enabled to enable HA for this Sidewinder G2.
(To disable HA, select Disabled.)
Note: You must reboot before the HA configuration will take effect.
4. [Conditional] In the Takeover Time field specify the number of seconds
that the primary must be unavailable before the secondary/standby will
begin the takeover process.
Note: If the primary in an HA cluster goes into failure mode and the secondary/
standby is not available, the primary will remain as the primary, but the Takeover
Time value for that Sidewinder G2 will change to one, ensuring that if a secondary/
standby becomes available, it can take over as the primary.
The secondary/standby Takeover Time value will differ depending on
the type of HA configuration you are using:
Load sharing Takeover Time—The takeover time for load sharing
HA cluster Sidewinder G2s must be the same for EACH Sidewinder
G2 that is participating in the HA configuration. The default value is
13 seconds for load sharing configurations.
Primary-standby Takeover Time—The takeover time for the
primary is 3 seconds by default and cannot be modified. This value
ensures that the designated primary will become the actual
primary when it is activated. The default for the standby is 13.
Note: If you assign a standby Takeover Time value that is too close to 3
seconds, the standby may attempt to take over as the primary during periods
when the primary is too busy processing data traffic to send the heartbeat.
Peer-to-peer Takeover Time—The takeover time for load sharing
HA cluster Sidewinder G2s must be the same for EACH Sidewinder
G2 that is participating in the HA configuration. The default value is
13 seconds for load sharing configurations.

Managing an HA cluster
Scheduling a soft shutdown for an HA cluster Sidewinder
G2
When a Sidewinder G2 that belongs to an HA cluster is shutdown by
an administrator (for example, to perform scheduled maintenance), a
soft shutdown will automatically occur (assuming the shutdown time
is not immediate). A soft shutdown provides a buffer period before
the actual shutdown occurs, allowing the Sidewinder G2 to stop
accepting new connections, while allowing most existing connections
to complete before the Sidewinder G2 actually shuts down. IP filter
processing is also transferred to the remaining Sidewinder G2.
By default, the soft shutdown process will begin 30 minutes prior to a
scheduled shutdown. If the shutdown is scheduled to occur in less
than 30 minutes, the soft shutdown process will begin immediately
and will remain in effect until the actual shutdown time occurs. You
can also manually increase or decrease the length of the soft
shutdown period.
For example, suppose you configure the Sidewinder G2 to shutdown
in two hours using the default soft shutdown of 30 minutes. The
Sidewinder G2 will continue to accept and process connections for
1.5 hours. When the Sidewinder G2 is 30 minutes from the shutdown
time, it will stop accepting new connections and existing connections
will have 30 minutes to complete. After the soft shutdown period
completes, the Sidewinder G2 will shutdown and will be unavailable
until it is rebooted.
The soft shutdown feature is specified via command line. If you
schedule a shutdown using the Admin Console, the default soft
shutdown time will be applied. The following bullets provide
examples of configuring an HA cluster Sidewinder G2 for shutdown:
If you want the soft shutdown process to begin immediately, use
the following command (the Sidewinder G2 must be shutdown or
manually rebooted once the soft shutdown process is complete):
cf failover softshutdown
To configure soft shutdown to occur for a specific amount of time,
as follows:
shutdown -s [soft_shutdown_time] [shutdown_time]
High Availability 16-27

Managing an HA cluster
16-28 High Availability
The soft_shutdown_time specifies that amount of time that soft
shutdown will occur. The shutdown_time specifies the time at
which the actual shutdown will occur. Each variable can be specified
either as a number of minutes or as an exact date and time. If
you are specifying the number of minutes, you must include a plus
(+) sign in front of the minutes.
For example, if you want the Sidewinder G2 to shutdown on Saturday,
June 12, 2004 at 11:00 am with a 15 minute soft shutdown
period, you would enter the following command:
shutdown -s +15 0406121100
In this case, the soft shutdown process would begin at 10:45 am,
and the Sidewinder G2 would shutdown at 11:00 am on the specified
day.
If you want the Sidewinder G2 to begin the soft shutdown at 6:00
am with an actual shutdown at 6:20 am, you would enter the following
command:
shutdown -s 0600 0620
Note: For a complete listing of shutdown options, refer to the shutdown man
page.
You can cancel a scheduled shutdown at anytime prior to the final 30
minute period by entering the shutdown -c command. However,
once the Sidewinder G2 has entered soft shutdown mode, this
command will no longer cancel the soft shutdown process. When the
soft shutdown process is complete, you will need to reboot the
Sidewinder G2 before it will properly function as part of the HA
cluster.

Connecting directly to a secondary/standby
Managing an HA cluster
When you have an HA cluster configured, most areas for each
Sidewinder G2 are managed by connecting to the HA cluster address.
However, if your Sidewinder G2s are configured for secure split SMTP
mail and/or hosted DNS, you will need to connect directly to the
secondary/standby to manage those areas. (You can still manage the
primary for these areas by connecting to the HA cluster.)
To connect directly to a Sidewinder G2 that is part of an HA cluster,
do the following:
1. In the Admin Console, add the Sidewinder G2 to which you want to
connect. See “Adding a Sidewinder G2 to the Admin Console” on page
2-4. Be sure to use the Sidewinder G2’s actual IP address, not the
common IP address.
2. Connect directly to that Sidewinder G2, and make the necessary
changes.
Note: When you connect directly to a Sidewinder G2 that is part of an HA cluster, a
warning message will appear explaining that any changes you make may be
overwritten by the cluster configuration. Modifications made to the SMTP and/or
DNS areas will not be overwritten if you have configured secure split SMTP mail and/
or hosted DNS.
High Availability 16-29

Managing an HA cluster
16-30 High Availability

C HAPTER 17
Alarm Events and
Responses
About this chapter This chapter explains alarm events and assists you in configuring
alarm events and event responses for your site. This chapter includes
the following topics:
Configuring alarm
events and event
responses
“Configuring alarm events and event responses” on page 17-1
“Example alarm event scenario” on page 17-13
“Sample Strikeback results” on page 17-15
“Ignoring network probe attempts” on page 17-17
“Checking system status” on page 17-19
“Checking network status” on page 17-22
Sidewinder G2 alarm events (also referred to as auditbots) allow you
to monitor your network for potentially threatening activities ranging
from an attempted attack to an audit overflow. Using the Admin
Console, you can configure how many events for a particular alarm
must occur within a particular time frame before an event response is
triggered.
When activity that matches alarm event criteria is encountered, the
event response you configured for that alarm event determines how
the Sidewinder G2 will respond. The Sidewinder G2 can be
configured to respond by notifying an administrator of the event via
email or pager, as well as performing a Strikeback. You can configure
Strikebacks to gather information about users who are making
network access violations, and track down additional information
regarding an attempted attack. You can also configure a Strikeback to
ignore packets from a particular host for a specified period of time.
The configuration options you select will depend mainly on your
site’s security policy and to some extent on your own experiences
using the features. You may want to start with the default options and
make adjustments as necessary to meet your site’s needs.
17
Alarm Events and Responses 17-1

17
Configuring alarm events and event responses
Figure 17-1. Alarm Event
List
About the Alarm Event List
tab
17-2 Alarm Events and Responses
Alarm events are generated on the Sidewinder G2 using a daemon
called auditbotd. This daemon listens to the audit device and detects
various types of alarm events (also known as "auditbots") as they
occur. Alarm events are defined in the /etc/sidewinder/
audit_filters.conf file.
Tip: Default Strikeback event responses are automatically configured on the Sidewinder
G2 during initial configuration. See “Configuring alarm events” on page 17-6.
Configuring alarm events
To view or configure alarm events, start the Admin Console and select
Reports & Monitoring -> Alarm Configuration. The Alarm Configuration
window appears. This window contains two tabs that are used to
enter information about an alarm event. The Alarm Event List tab
(described below), and the Event Responses tab (described in
“Displaying and configuring event responses” on page 17-8).
Note: To view all event settings, use the scroll bar or resize the window.
This tab allows you to view the list of currently configured alarm
event types. The following table describes the fields displayed for
each alarm event in the table.

Table 17-1. Alarm event column descriptions
Window Column Description
Configuring alarm events and event responses
Event Name Lists the names of the configurable alarm events.
Filter Name Specifies the name of the filter that is being used to detect
alarm events.
Enabled Specifies whether the alarm event is enabled.
Strikeback Specifies the Strikeback response that is selected for an alarm
event.
Threshold Specifies the number of times the alarm event must occur in
a specified period before an alarm will be triggered.
Period Specifies the amount of time during which the number of
events (specified in the Threshold field) must occur before an
alarm will be triggered.
Interval Specifies the amount of time (in seconds) before you will be
notified of an additional alarm event of this type once an
alarm has been triggered.
For example, if you have an alarm event that detects
netprobes, and you set the Interval to 300, when an alarm is
triggered, you will not be notified of any additional alarm
events of this type for 300 seconds.
Note: You will still receive audit data for the additional alarm
events.
Reset Specifies whether the alarm event count will be reset when
the threshold number is reached.
Always Strikeback Specifies whether a Strikeback will be performed every time
an alarm event is triggered (even if an Administrator is not
notified of the event).
Threshold
Percentage
Specifies the percentage of alarm events that must be
initiated from the same source address before a Strikeback is
triggered. (The percentage is based on the Threshold value.)
The threshold percentage value may cause multiple
strikebacks to occur for an alarm event.
Alarm Events and Responses 17-3

Configuring alarm events and event responses
17-4 Alarm Events and Responses
Table 17-2. Pre-defined filter descriptions
Filter Name Description
attack_filter Detects attack attempts (that is, any suspicious
occurrence) identified by one of the services on the
Sidewinder G2. For example, if the Network Services
Sentry (NSS) detects a suspicious IP address on an
incoming connection, it will issue an attack attempt.
deniedauth_filter Detects when a user attempts to authenticate and
enters invalid data. For example, if a user is required to
enter a password and entered it incorrectly, the denied
auth_filter would log the event. (Note that this type of
event is not logged when users attempt to switch to an
unauthorized role or enter incorrect login information.)
failover_filter Detects any time a Sidewinder G2 changes its status in
an HA cluster from secondary to primary, or from
primary to secondary.
filterfail_filter Detects SMTP mail messages that fail a configured mail
filter. For example, if a mail message failed the Key Word
Search filter, a mail filter failure event would be logged.
hardware_software_fail Detects failure of a critical component. For example, this
trap occurs when daemond detects a software module
has failed.
ipsec_filter Detects IPSec errors that exceed the configured
threshold values.
licexceed_filter Detects when the Sidewinder G2 has begun denying
users access due to a user license cap violation.
logoverflow_filter Detects when the Sidewinder G2 audit logs are close to
filling the partition.
netprobe_filter Detects network probe attempts (that is, any time a user
attempts to connect or send a message to a TCP or UDP
port that either has no service associated with it or it is
associated with an unsupported service). See “Ignoring
network probe attempts” on page 17-17 for more
information.
networkacl_filter Detects when the number of denied access attempts to
services exceeds a specified number. For example, you
may set up your system so that internal users cannot
FTP to a certain Internet address. If a user tried to
connect to that address, the attempt would be logged
as a denial.
More . . .

Filter Name Description
Configuring alarm events and event responses
powerfail_filter Detects when a connected Uninterruptible Power
Supply (UPS) has a power failure and the Sidewinder G2
is running on UPS battery power.
proxyflood_filter Detects potential connection attack attempts. A
connection attack is defined as one or more addresses
launching numerous proxy connection attempts to try
and flood the system. When NSS receives more
connection attempts than it can handle for a proxy, new
connections to that proxy are briefly delayed, (to allow
the proxy to ’’catch up") and an audit event is created.
shutdown_filter Detects when the Sidewinder G2 is being shut down
after running on UPS battery power for the amount of
time specified in the UPS server window (see
“Configuring the Sidewinder G2 to use a UPS” on page
3-58 for additional information on UPS).
synattack_filter Detects when the Sidewinder G2 encounters a SYN
attack.
te_filter Detects an unauthorized user or process that attempts
to perform an illegal operation on a file on the
Sidewinder G2.
traffic_filter Detects when the number of traffic audit events written
by the various proxies (WWW, Telnet, FTP, etc.) going
through the Sidewinder G2 exceeds a specified number
in a specified time period. This information can be
useful for monitoring the use of the Sidewinder G2
services by internal users.
Note: Network traffic thresholds are reported as number
of events per second, and not as number of bytes per
second.
virusmime Detects when the number of mail or HTTP messages
that failed the MIME/Virus filter exceeds a specified
threshold in a specified time period.
To delete an alarm event from this table, highlight the alarm event
you want to delete and click Delete. You will be asked to confirm your
selection.
To create a new alarm event, click New. To modify an existing alarm
event, highlight the alarm event you want to modify and click Modify
(or double-click the alarm event). The Alarm Event Information
window appears.
Alarm Events and Responses 17-5

Configuring alarm events and event responses
Figure 17-2. Alarm Event
Information window
Configuring alarm events The Alarm Event Information window is used to configure a new
alarm event or to modify an existing alarm event configuration.
Follow the steps below.
17-6 Alarm Events and Responses
1. [In the Event Name field, type a descriptive name for the alarm event.
The entry can consist of 1–32 alpha-numeric characters, hyphens (-), or
underscores (_).
2. In the Filter Name field, select the filter that you want this alarm event to
use. The filter determines what type of alarm event(s) will be detected
by the auditbot daemon on the Sidewinder G2. There are 26 predefined
filters. Each pre-defined filter type is described below.
Note: To create custom filters, refer to the sacap_filter man page.
3. In the Event Responses area, select the type of event response(s) that
will occur for each response type if this alarm event is triggered. (For
more information on configuring event responses, see “Displaying and
configuring event responses” on page 17-8.
EMAIL—Select the name of the E-mail event response that
contains the e-mail address(es) you want contacted if an alarm is
triggered. The default E-mail event response will send e-mail to the
root address. (Select None if you do not want e-mail sent if an
event occurs.)
PAGER—Select the name of the Pager event response that
contains the pager number you want contacted if an alarm is
triggered. The default pager event response is set to 1111111.
(Select None if you do not want anyone to be paged.)

Configuring alarm events and event responses
STRIKEBACK—Select the name of the Strikeback event response
that contains the Strikeback actions you want performed if an
alarm is triggered. The default Strikeback event response will issue
the dig command. Select None if you do not want a Strikeback to
occur.
SNMP Trap—Select this check box if you want to issue an SNMP
trap if an alarm is triggered. See Chapter 14 for details about SNMP.
4. Select the Enabled check box to enable this alarm event. A check mark
appears when the event is enabled. (To disable this alarm event at any
time, de-select this check box.)
5. In the Threshold field, type the number of times this type of event must
occur before an alarm will be triggered. Valid values include any nonzero,
positive integer.
6. In the Event Period field, type the number of seconds during which the
number of events specified in the Threshold field must occur before an
alarm will be triggered. Valid values include zero (which indicates
infinity) or any positive integer.
For example, if you have configured an alarm event to filter for netprobe
attempts, and you want to trigger an alarm event if 5 or more probe
attempts occur within 30 a second period, you would select 5 in the
Threshold field, and 30 in the Event Period field. If you do not enter an
event period, a zero value (which indicates infinity) is used as the
default.
7. In the Alarm Interval field, type the number of seconds to wait once an
alarm has been triggered before another alarm can be triggered for the
same event type. Valid values include any non-zero, positive integer (in
seconds).
For example, suppose you configure an alarm event to trigger when 5
or more probe attempts occur in 30 second period, and you configure
an Alarm Interval value of 300 seconds (five minutes).
In this configuration, if an intruder launches 5 probe attempts in a 30
second period, an alarm event is triggered. However, if the intruder
sends 5 more probe attempts during the next 30 seconds, a new alarm
will not be triggered. After five minutes, if the threshold is again
reached, another alarm will be triggered.
Alarm Events and Responses 17-7

Configuring alarm events and event responses
17-8 Alarm Events and Responses
8. Select the Reset Event Count on Threshold check box if you want the
event count to be reset and the audit list cleared each time the
threshold number is reached within the specified time period.
Note: If you de-select this check box, when the threshold number is reached, the
event count will not be reset, and the event list will not be cleared. This may cause the
same audit events to be used to generate additional alarms.
9. Select the Perform Strikeback if Alarm Dropped check box to run the
Strikeback commands you have configured for each alarm event that
occurs within the alarm interval (rather than only when the number of
events reaches the threshold value and triggers an additional alarm).
Note: If you de-select this check box, Strikeback commands will be performed only
when an event response is triggered.
10. In the Strikeback Percentage Threshold field, type the percentage of
threshold alarm events that must be initiated from a single source
address before a Strikeback will occur. This allows you to configure
Strikebacks to occur only on source addresses that initiate a certain
percentage of events, and prevents the system from extraneously
performing Strikebacks on simple error events (such as a single bad
login attempt by a user) when the threshold is reached.
11. Click Add to add the new alarm event. (If you are modifying an alarm
event, click OK to save your changes.)
12. To add another alarm event, repeat the above procedure.
Displaying and configuring event responses
Event responses are used to specify an appropriate response when an
alarm is triggered in your system. The Sidewinder G2 is preconfigured
with several default responses.
To view the default responses and to add or modify event responses,
click the Event Responses tab on the Alarm Configuration window. The
Event Responses tab appears.

Figure 17-3. Event
Response tab
About the Event Response
tab
Configuring alarm events and event responses
This tab is used to view, create, and modify event responses. An event
response is the action that will occur when an alarm is triggered. The
Event Responses list contains a list of the currently defined event
responses. An event response is only used when it is specified within
an alarm event entry.
If you click on an event response in this list, information about the
entry appears in the right-hand portion of the window. You can
modify the parameters for a particular event directly from this
window.
To create a new event response, click New and select an event
response type from the Select Event Response Type drop-down list. For
details on creating or modifying a specific event response type, refer
to one of the following:
E-Mail events—For information on configuring e-mail event
responses, see “Adding or modifying an E-Mail response” on page
17-10.
Pager events—For information on configuring pager event
responses, see “Adding or modifying a Pager response” on page
17-10.
Strikeback events—For information on configuring Strikeback event
responses, see “Adding or modifying a Strikeback response” on
page 17-11.
Alarm Events and Responses 17-9

Configuring alarm events and event responses
17-10 Alarm Events and Responses
To delete an event response, highlight the event response you want to
delete, and click Delete. You will be asked to confirm the deletion.
Adding or modifying an E-Mail response
To add or modify an e-mail response follow the steps below.
1. In the E-Mail Name field, type a name for this e-mail response. The name
can consist of 1–32 characters.
2. In the E-Mail Address field, click New. The E-mail Address window
appears.
Note: To delete an existing e-mail address, highlight the address you want to delete,
and click Delete.
3. Type the e-mail address of the person you want to receive the audit and
Strikeback results, and then click Close.
4. To add another e-mail address, repeat step 1 and step 3. When you are
finished adding e-mail addresses, click Apply.
Adding or modifying a Pager response
To add or modify a Pager response, follow the steps below. When a
pager response is initiated, a number representing the type of alarm
event that was triggered will be sent to your pager. For information on
these values, see “Example alarm event scenario” on page 17-13.
Note: You may not receive a page if a shutdown_filter event causes the Sidewinder G2
to halt due to a low UPS battery. This is because the UPS may halt the Sidewinder G2 before
the modem can dial the pager number.
1. In the Pager Name field, type a name for this pager response. The name
can consist of 1–32 characters.
2. In the Pager Number field, type the pager number you want called
when an alarm event is triggered. This number will be called as soon as
the specified device (see step 3) is available. The pager number can
consist of any valid modem string.
3. In the Device field, type the name of the device being used for the
modem that will contact the pager. This device is configured in your
system’s /etc/ttys file by default.

Configuring alarm events and event responses
4. In the Pager Wait field, type the number of seconds that the system will
wait for the service to answer the phone and prompt for the touch-tone
response. (Your pager service should be able to provide you with the
correct value for your pager.)
5. Click Apply to save your changes (or click Cancel to cancel any changes).
Adding or modifying a Strikeback response
To add or modify a Strikeback response, follow the steps below.
1. In the Strikeback Name field, type a descriptive name for this Strikeback
response. The name can consist of 1–32 characters.
2. In the Strikeback Commands to Perform area, determine which
commands you want to be performed when an alarm is triggered. To
enable commands, select the appropriate check box(es) To disable
commands, de-select the appropriate check box(es).
Note: Some filters will not allow a Strikeback to be performed, because the events
they detect do not contain source IP addresses.
Sample output for each command is described in “Sample Strikeback
results” on page 17-15. The following commands are available. (For
more information on using these commands, refer to the appropriate
man page.)
dig—The Domain Information Groper (dig) command provides
essentially the same information as the nslookup command.
However, the options make it easier to use from the UNIX
command line, and it is easier to obtain a host name given the IP
address. Selecting this option is equivalent to entering the
following UNIX command:
/usr/bin/dig -x ipaddress
finger—This command allows you to obtain information about
Internet users. Internet systems can run a finger daemon that
allows anyone to obtain this data (although some sites turn it off to
protect users’ privacy). If the daemon is turned off at the target site,
finger will not work during the Strikeback. When you use the
finger command, you can find out the user names of people at a
site and obtain specific user information such as their e-mail
addresses and home directories, the exact terminal they are
logged in on, when they were last logged in and when they last
received and read e-mail. This option is equivalent to entering the
following UNIX command:
/usr/bin/finger @ipaddress
Note: The Sidewinder G2 does not run a finger daemon.
Alarm Events and Responses 17-11

Configuring alarm events and event responses
17-12 Alarm Events and Responses
traceroute—This command provides information on the gateways
an IP packet must pass through to get to a destination. As input,
the command needs the hostname or IP address of the
destination system. It then sends these IP packets from your
Sidewinder G2 to that address. As output, it lists the hostnames
and IP addresses of each system the packets were handed off to
and how long it took to send each packet back and forth. This
option is equivalent to entering the following UNIX command:
/usr/sbin/traceroute -m 50 -p 33500 ipaddress
ping: This command determines whether an Internet system is
running by sending packets that the remote system should echo
back. As output, ping lists how much time it took for the
message to travel to the other system and back. This option is
equivalent to entering the following UNIX command:
/bin/ping -c 5 ipaddress
nslookup—This command queries the DNS database to obtain all
of the information that is available about a particular address. The
output includes the name and address of the DNS server used to
provide the information, the name of the system you asked about
and other data that might be available (for example, where e-mail
is delivered for the domain). This option is equivalent to entering
the following UNIX command:
/usr/bin/nslookup -d 2 ipaddress
whois—This command queries the Network Information Center
(NIC) database to obtain information regarding a particular
domain name.
3. To enable the Host Discard field, select the corresponding check box
and specify the amount of time (in seconds) that packets from a
particular host will be ignored within a specific burb. If this field is
enabled, when a strikeback occurs, any attempts by the offending
source host to send IP packets will be prevented for the time specified.
Valid values include any positive integer (in seconds). The default value
is 0 (disabled).
Changing other options
This section provides information on additional audit options you can
configure by manually editing the appropriate configuration file.
strikeback_data_ttl—One option you may want to change is the
strikeback_data_ttl using:
cf audit set strikeback.data.ttl=x

Example alarm
event scenario
Example alarm event scenario
Where x defines the number of seconds the system should cache
data from previous Strikebacks. If you want the latest Strikeback
information on an IP address every time, set this value to zero. For
example, if you do not want information on an IP address
involved in an alarm to be more than one minute old, set the value
to 60. The default is set at 43200, or 12 hours. To change the
option, open the file in any editor.
Strikeback timeout—To configure the Strikeback timeout option, use
the following command:
cf audit set strikeback.timeout=x
Where x defines the maximum amount of time (in seconds) that a
Strikeback process should take (600 is the default).
As described in the previous section, the Sidewinder G2 can track a
number alarm event types. Using the Admin Console, you can
configure how many of these events must occur within a specific time
frame before an alarm is triggered, and what should happen when an
alarm is triggered.
The steps below walk you through the events that take place when an
alarm occurs:
1. The auditbot daemon determines that an alarm event should be
triggered.
The system is configured with default event responses for each type of
alarm event, but you can also define and select your own options (see
“Configuring alarm events” on page 17-2). For example, you may set up
your system so that five probe attempts in 30 seconds will trigger an
alarm.
2. The Sidewinder G2 notifies the appropriate user.
At system startup, the Sidewinder G2 reads the auditbotd configuration
file to determine which user should be notified if an alarm is triggered.
By default, the system automatically sends an e-mail message to root
(although you can also configure it to send e-mail to other users, or to
notify an administrator of the alarm).
If you connect a modem to the Sidewinder G2, and your administrators
use pagers, you can also configure the system to automatically send a
numeric message to a specified user’s pager when an alarm is triggered.
Alarm Events and Responses 17-13

Example alarm event scenario
17-14 Alarm Events and Responses
The message contains one of the following numbers, indicating which
type of event generated the alarm:
Numbers 1–14 and 26–27 are alarm events that are pre-defined in the
Sidewinder G2. However, you also have the option to create your own
custom filters as well. Custom filters will return a message that contains
numbers 15–25. If you define custom filters that are assigned numbers
higher than 25, you will receive a 15 message by default.
The default values are as follows:
1=Network traffic
2=Attack attempt/Proxy flood
3=Type Enforcement
4=Access control
5=Bad proxy authentication
6=Network probe
7=Mail filter failure
8=IPSEC error
9=Failover
10=Log overflow
11=SYN attack
12=UPS power failure
13=UPS shutdown
14=User license exceeded
16=User-defined default
17-25=User-defined alarm events
26=Hardware-software failure
27=MIME/virus
3. The Sidewinder G2 performs the appropriate Strikeback(s).
Strikebacks are specified in the auditbotd.conf file. Strikeback is a feature
the Sidewinder G2 uses to gather information on the alarm event and
the identity of any possible intruders. By default, the system runs the
dig command to retrieve information about the IP addresses involved
in the audit event—you can also select additional commands.
After it compiles the information, the Sidewinder G2 e-mails the results
to root (by default) or another user you specify.
4. The administrator reviews the data.
The administrator reviews the audit and Strikeback data he or she was
e-mailed. The data is also stored in files.

Sample
Strikeback results
Sample Strikeback results
When the Sidewinder G2 performs a Strikeback, a complete report on
its findings is mailed to the e-mail address record specified for the
alarm event that triggered the Strikeback. This includes a list of the
offending addresses and information about each of them. The
information generated will depend on which Strikeback commands
you configured to execute for an alarm event.
The Strikeback report file is in ASCII format and contains the
following sections:
Auditbot alarm and Strikeback runtime information—Alarm condition
information and how the Strikeback was run.
Summary information—The IP addresses of the potential intruders
found in the audit events.
System utilities output—Verbatim output of the Strikeback
commands.
A sample of the Strikeback information is shown on the following
pages. The data is from an actual report, but the IP addresses and
hostnames are fictitious.
For more information on finger, ping, dig, and traceroute, refer
to the man pages, or see “Adding or modifying a Strikeback
response” on page 17-11.
Alarm Events and Responses 17-15

Sample Strikeback results
17-16 Alarm Events and Responses
########################################################
Results from: dig
########################################################
; DiG 8.3 -x
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER

Ignoring network
probe attempts
Ignoring network probe attempts
If a host on the network attempts to connect to the Sidewinder G2 for
a service that is not running, an audit record is generated and may
trigger an alarm. An ignore list can be set up to ignore unimportant
network probe audit events, but save the audit to keep track of the
probe attempts. However, if connection attempts are frequent and are
coming from a trusted network, then it may be desirable to ignore
them completely and not audit the connection attempt by configuring
the appropriate IP Filter rules.
The Sidewinder G2 can cause network probe attempts between
services running on the system. These probe attempts usually indicate
one of the services is responding slowly, and do not show that a
problem exists on the Sidewinder G2. By default, auditing these
loopback network probes is disabled. To turn on auditing for the
network probe attempts between services running on the system,
enter the following command in the admin role:
sysctl -w kern.audit_netprobe_loopback=1
Important: If you want to ensure that this remains configured, you should also add this
command to the end of the /etc/rc.local file.
The following services can be useful in ignoring network probe
attempts:
Ignore list—The ignore list defines a collection of network probe
attempt audit events to be ignored by the auditbot. These netprobe
audit events are saved by auditd to /var/log/audit.raw. Auditd
collects the audit, so the auditor can manually view the audit trail.
The ignore list also uses wildcards in its configuration, so your site
can have more flexibility in what it decides to ignore.
IP Filter deny rules—You can create IP Filter rules to deny
connection requests for specific ports. For example, if you have
problems with netbios generating netprobes on the Sidewinder
G2, you can discard them and prevent audit events by creating an
IP Filter with the following key values:
Type: UDP Audit Level: None
Action: Deny Direction: Uni-directional
Source/Dest Burbs: internal: Source/Dest: All (subnet 0.0.0.0:0)
Source/Dest Ports: 137
Alarm Events and Responses 17-17

Ignoring network probe attempts
17-18 Alarm Events and Responses
Configuring the ignore list
The data items in the ignore list define the network probe audit
events to ignore. The ignore list is only used by the
netprobe_filter auditbot.
Note: The ignore list is configured in the /etc/sidewinder/auditbotd.conf file.
Important: Packets in the ignore list will still be logged to the audit.raw file.
The netprobe_filter auditbot collects audit data on network probe
attempts occurring on your system, but does not take action on
network probe attempt audit events that match entries in the ignore
list. The ignore list fields read as follows:
ignore(burb protocol src_host src_port dst_host
dst_port)
Unlike the discard service, the ignore list allows you to use wildcards
in all of its configured fields. Besides the wildcard, the fields can
contain the following values:
burb
0 through 24 or the wildcard “*”
protocol
A numerical protocol, a protocol name from /etc/protocols (such as
udp or tcp), or “*”.
src_host and dst_host
A host name, a dotted IP address, or an asterisk (*) representing
the source or destination host.
Note: IP addresses cannot be sub-wildcarded, (that is, dotted IP addresses are valid
only as a full IP address or asterisk [*] with no rule-type wildcarding).
src_port and dst_port
A numerical port number, a service name from /etc/services, or an
asterisk (*) represents the source or destination port
The Sidewinder G2 contains the following default ignore list entry to
disregard ident probes from all sources:
ignore (* tcp * * * ident)

Checking system
status
Checking system status
An example of how to make additions to the ignore list follows:
If you want to ignore SNMP packets (probe attempts) from an internal
machine, called master.foo.com, destined for a host called slave.bar.com,
do the following:
1. Check the /etc/services file for the name of the service you want to
ignore. You can use the port number, the name of an existing service for
the port number you want your network to ignore, or you can add an
entry /etc/services.
Note: The name must exist in /etc/services.
2. Using a text editor, add the appropriate line to /etc/sidewinder/
auditbotd.conf.
For the above example you would use the following line:
ignore(0 udp master.foo.com * slave.bar.com snmp)
3. Save the file, and quit the text editor.
The change will take effect the next time auditbotd reads the
configuration file, which is done each time you reload or restart
auditbot. This is done by entering one of the following commands:
cf server reload auditbotd
OR
cf server restart auditbotd
In addition to configuring alarm events and strikeback options, you
can display information on the current status of your network
connections and take a look at what is happening on the system.
CPU usage
CPU Usage allows you to obtain information on system performance.
To view CPU usage information, enter the following commands at
Sidewinder G2 command prompt:
/usr/sbin/vmstat
/usr/bin/uptime
/usr/contrib/bin/top
Alarm Events and Responses 17-19

Checking system status
17-20 Alarm Events and Responses
Process status
To view the status of all processes currently running on the
Sidewinder G2, enter the following command at a Sidewinder G2
command prompt.
/bin/ps -axd
This information is useful for tasks such as determining which
processes are using a lot of CPU time. The ps command allows you to
look at information about the processes running on the system. This
command is a variation on the standard UNIX process status
command in that it includes information on the Sidewinder G2
domains. To display process information from the UNIX prompt, enter
one of the following commands at a Sidewinder G2 command
prompt.
To list process information as well as information on the real
domains in which processes are operating, enter the ps -D
command. Real domains control the interaction between one
process and other processes.
To list process information as well as information on the effective
domains in which processes are operating, enter the ps -d
command. Effective domains control the interaction between a
process and files.
Note: In most cases, the information displayed for either the real domain (RDOM) or
the effective domain (EDOM) will be the same.
In addition to the information you normally get with the ps
command, you see domain information similar to the following.
RDOM PID TT STAT TIME COMMAND

Rlg0 7418 p2 IW+ 0:01.30.u (tcsh)
tcp0 9806 pd Is+ 0:02.05-tcsh (tcsh)
where:
Checking system status
EDOM or RDOM—domain name
PID—process identification number
TT—terminal line from which the process was initiated
STAT—current status of the process
TIME—total amount of CPU time used by the process
COMMAND—command line used to start the process
Disk usage
To view statistics about the amount of free disk space on a file system,
enter the following command at a Sidewinder G2 command prompt.
/bin/df
This information is useful to determine which file systems are using
the most disk space.
who
To view who is currently logged onto your Sidewinder G2, enter the
following command at a Sidewinder G2 prompt.
/usr/bin/who
When you use this utility, you can see the user’s log in name, console
name, the date and time of their login, and their host name, if it is not
a local host.
lloyd console Aug 8 16:12 (rock.foo.bar)
lloyd ttyp0 Aug 7 21:34 (10.1.1.1)
Alarm Events and Responses 17-21

Checking network status
Checking network
status
17-22 Alarm Events and Responses
finger
To obtain information about local Sidewinder G2 users, type the
following command at a Sidewinder G2 prompt.
/usr/bin/finger
When you use this command, you can find out the user names of
people at your site, the exact terminal they are logged in on, when
they last logged in, and how long they have been logged on.
Login Name Tty Idle Login Time Office Office Phone
lloyd Lloyd Frank *p0 2 Aug 8 16:12 ABC,Inc. 555-1234
lloyd Lloyd Frank *p3 19:03 Aug 7 21:34 ABC,Inc. 555-1234
You can display information on the status of your network
connections, routing tables, and network utilities. Using the
commands described in the sections that follow, you can get
"snapshots" of different aspects of your system.
Note: Output for netstat -i queries will display shared addresses with a plus (+)
sign.
Active network connections
To view the status of any active TCP or UDP connections on the
Sidewinder G2, enter the following command:
/usr/sbin/netstat -f inet
Active connections/services
To view the status of all sockets on the Sidewinder G2, enter the
following command at a Sidewinder G2 command prompt:
/usr/sbin/netstat -af inet

Network interfaces
Checking network status
To view the status of the Sidewinder G2’s network interfaces, enter
the following command at a Sidewinder G2 command prompt:
/usr/sbin/netstat -i -n
Routing tables
To view the status of the Sidewinder G2 Operational kernel’s available
routes and their status, enter the following command at a Sidewinder
G2 command prompt:
/usr/sbin/netstat -r
route get
The route get command looks up the route for a destination, and
displays the route in the window. To view this information, enter the
following command at a Sidewinder G2 command prompt:
/sbin/route get ipaddress
The following shows sample output for this command.
route to: rock
destination: rock
gateway: xx.xx.xx.xx
interface: ef2
if address: xx.xx.xx.x
burb: y
flags:
Alarm Events and Responses 17-23

Checking network status
17-24 Alarm Events and Responses
nslookup
The nslookup command queries the DNS database to get all of the
information that is available about a particular address. The output
includes the name and address of the DNS server used to provide the
information, the name of the system you asked about and other data
that might be available, such as where e-mail is delivered for the
domain.
To view this information, enter either of the following commands at a
Sidewinder G2 command prompt:
/usr/bin/nslookup ipaddress
OR
/usr/sbin/nslookup hostname
The following shows sample output for this command.
dig
Server: localhost.foo.bar
Address: 10.2.2.2
Non-authoritative answer:
Name: sharon.foo.bar
Address: 10.1.1.1
The dig (Domain Information Groper) command gathers
information from DNS based on an IP address, and obtains the
corresponding host name.
/usr/bin/dig -x ipaddress any any

Checking network status
; Dig 2.1 homer
;; res options: init recurs defnam dnsrch
;; got answer:
“->>HEADER

Checking network status
17-26 Alarm Events and Responses
ping
Generic Records, Inc.
1234 Elm Avenue
St. Paul, MN 01234-5678
Domain Name: ROCK.FOO.BAR
Administrative Contact, Technical Contact, Zone
Contact:
Frank, Lloyd (DS1234) lloyd@rock.foo.bar
(567) 555-1234
Record last updated on 13-Mar-02.
Record created on 18-Feb-01.
Domain servers in listed order:
LOCALHOST.FOO.BAR10.1.1.1
AB.CD.NET10.2.2.2
The ping command checks whether an Internet system is running by
sending packets that the remote system should echo back. As output,
ping lists how much time it took for the message to travel to the other
system and back, the total number of packets sent and received, the
percent of packets lost, and the average and maximum time it took for
a round trip. To view this information, enter the following command:
/bin/ping -c 5 ipaddress
traceroute
The traceroute command provides information on the gateways an
IP packet must pass through to get to a destination. As input, the
command needs the host name or IP address of the destination
system. It then sends these IP packets from your Sidewinder G2 to
that address. As output, it lists the host names and IP addresses of
each system the packets were handed off to and how long it took to
send each packet back and forth.
To view this information, enter the following command at a
Sidewinder G2 command prompt.
/usr/sbin/traceroute -m 50 -p 33500 ipaddress

C HAPTER 18
Monitoring, Auditing, and
Reporting
About this chapter This chapter contains information on monitoring the current state of
your Sidewinder G2. It also explains the Sidewinder G2’s unique
auditing features and describes how messages are logged on the
system. Using the audit information, you can generate detailed reports
that provide information on security violations, failed login attempts,
and network traffic, as well as many other reports.
Overview of the
audit process
Note: The auditing log files can become large quickly and take up a lot of hard disk space.
To solve this problem, the log files are automatically rotated. See "Understanding
automatic (cron) jobs" in Appendix A for details.
This chapter includes the following topics:
“Overview of the audit process” on page 18-1
“Monitoring Sidewinder G2 status” on page 18-3
“Auditing on the Sidewinder G2” on page 18-5
“Logging application messages using Syslog” on page 18-21
“Generating and viewing reports using the Admin Console” on
page 18-23
“Viewing auto-generated reports” on page 18-30
“Generating exportable reports” on page 18-30
“Using third party reporting tools” on page 18-31
Monitoring, auditing, and reporting are closely related pieces of the
audit process that function together to provide information to you
about the activity on your Sidewinder G2. On the Sidewinder G2, you
can monitor the status of various processes in real-time, view stored
audit information, and generate detailed reports. The diagram below
demonstrates how these pieces are related in the audit flow.
18
Monitoring, Auditing, and Reporting 18-1

18
Overview of the audit process
Figure 18-1. The audit
flow
18-2 Monitoring, Auditing, and Reporting
Monitoring
Using the Admin Console,
you can monitor Sidewinder
G2 activity and status in
real-time.
Auditing
auditd reads /dev/audit
and places the
information into
audit.raw.
This is the recorded
audit stream. This is now
"history" and contains
everything that might
be worth viewing.
Reporting
programs kernel
live audit stream
aka /dev/audit.....
auditd
/var/log/audit.raw
auditdbd
auditdb
auditbotd
auditbotd has a threshold
and can trigger an event
response (see Chapter 17).
Using the Admin Console,
you can filter and view
audit information.
This is an SQL database of
information maintained by
auditdbd. It contains all
relevant audit information.
Using the Admin Console,
you can generate detailed,
easy-to-read reports.

Monitoring
Sidewinder G2
status
Figure 18-2. Firewall
Monitoring window
About the Firewall
Monitoring window
Monitoring Sidewinder G2 status
The Admin Console allows you to display status information on any
Sidewinder G2 you have configured via the Monitoring window. You
can have several Monitoring windows running simultaneously, each
monitoring a single Sidewinder G2. Once launched, each window is a
self-contained program capable of running completely on its own.
That is, the Monitoring window will continue to run even if you exit
the Admin Console.
To view a Monitoring window, using the Admin Console select
Reports & Monitoring -> Firewall Monitoring. A login window appears.
Enter your user name and authentication information and click OK.
The Firewall Monitoring window appears.
This window is used to report the status of various processes,
network, and proxy traffic for a particular Sidewinder G2. The name
of the Sidewinder G2 being monitored is shown in the window’s title
bar. You can monitor the following information:
Load Average—This area displays the number of processes in the
system run queue that is averaged over a period of time.
Disk Use—This area displays how much of the Sidewinder G2’s
hard disk space is currently being used.
Memory Use—This area displays the amount of memory currently
being used by programs operating on this Sidewinder G2.
Monitoring, Auditing, and Reporting 18-3

Monitoring Sidewinder G2 status
18-4 Monitoring, Auditing, and Reporting
TCP Connections—This area displays the number of TCP
connections that are currently open on this Sidewinder G2. To
view details, click TCP Connections.
UDP Connections—This area displays the number of UDP
connections that currently exist for this Sidewinder G2.
IP Filter Sessions—This area displays the number of IP Filter sessions
that currently exist for this Sidewinder G2. To view details for
these sessions, click IP Filter Sessions.
Process—This area displays the status of each process that is
currently running on this Sidewinder G2. It provides the following
details for each process:
— CPU: This field displays the percentage of CPU currently being
used to run each process.
— Process Size: This field displays the amount of memory a
process is using.
— Resident memory: This field displays the amount of physical
memory a process is using.
Network Traffic—This area provides traffic information for each of
the network interfaces on this Sidewinder G2. The name of each
network interface is displayed in the left column. The second and
third columns indicate the average number of inbound and
outbound packets processed per second by each interface,
respectively.
(You can also view this information by typing netstat -is at the
command prompt.)
Proxy Traffic—This area lists each proxy that is currently passing
traffic and the number of instances.
Uptime—This area displays the amount of time since the last
reboot.
Refresh Rate—This field indicates how often the Monitoring
window will refresh. Valid values range from 5 seconds to 10
minutes. The default is 30 seconds.
When you modify the refresh rate, the change will not take effect
until the next scheduled refresh time. To make the change take
effect immediately, press Enter after changing the refresh value.

Auditing on the
Sidewinder G2
Auditing on the Sidewinder G2
Auditing is one of the most important features on the Sidewinder G2.
The Sidewinder G2 generates audit each time the Sidewinder G2 or
any Sidewinder G2 service is stopped or started. Audit is also
generated when any of the Sidewinder G2’s audit facilities are
modified. Other relevant audit information that is captured includes
identification and authentication attempts (successful and failed),
network communication (including the presumed addresses of the
source and destination subject), administrative connections (such as
changing to the srole), and modifications to your security policy or
system configuration (including all administrator activity, such as
changing the system time).
The Sidewinder G2’s audit facilities also monitor the state of log files
to minimize the risk of lost data. Log files are compressed, labelled,
and stored on a daily basis, and a new “current” log file is created.
Using this mechanism, no audit data is lost during the storage
transition.
The amount of available audit storage space is monitored very closely
on the Sidewinder G2 via the rollaudit and logcheck utilities to
monitor the log file size and rotate log files as needed. (For
information on using rollaudit, see “Rollaudit cron jobs” on page A-16.
For information on using the logcheck utility, refer to the logcheck
man page.)
There are three main components to the Sidewinder G2 audit process:
auditd—This is the audit logging daemon. This daemon listens to
the Sidewinder G2 audit device and writes the information to log
files. The log files provide a complete record of audit events that
can be viewed by an administrator. auditd sends all audit data to
a binary file called /var/log/audit.raw.
Note: You configure this daemon by editing the /etc/sidewinder/auditd.conf file.
In this file, you can specify that auditd append the host names of the source and
destination IP addresses to the audit event. By default, this option is turned off in the
/etc/sidewinder/auditd.conf file. When turned on, IP addresses are resolved using
the non-blocking resolver, nbresd.
auditbotd—The Sidewinder G2 uses a process called the
auditbot (referred to as alarms in the Admin Console) which also
runs as a daemon (auditbotd). This daemon listens to the audit
device and gathers the security-relevant information it finds. The
auditbot process looks for specific types of events that are defined
in the /etc/sidewinder/audit_filters.conf file.
Monitoring, Auditing, and Reporting 18-5

Auditing on the Sidewinder G2
18-6 Monitoring, Auditing, and Reporting
The auditbot daemon tracks these events and uses information in
its configuration file to determine when the data might be indicating
a problem, such as an attempted break-in. For more information
on configuring auditbots (alarms) and event responses, refer
to Chapter 17.
auditdbd—This is the daemon that maintains the audit database.
auditdbd monitors the audit stream and sends reporting
information to be stored in the MySQL database called auditdb.
The auditdbd server is disabled by default.
Note: Reporting services are not available until the auditdbd server is enabled. For
information on enabling the auditdbd server, see “Enabling and disabling servers” on
page 3-30.
To view a list of audit databases, enter the following command:
cf audit listdb
A list of audit databases appears. The database named auditdb_1
generally contains the previous days’s information. The database
named auditdb_2 is generally from two days ago, and so on.
Understanding audit file names
The /var/log/audit.raw files contains all audit information and
network probe audits contained on the Sidewinder G2 in a binary
format. When the file is rolled, a timestamp is appended to the file
name. The easiest method for viewing the contents of the audit.raw
files is to use the Admin Console’s Audit Viewing window. Refer to
“Viewing audit information” on page 18-7.
Tip: If you prefer to view the file contents via command line, refer to the showaudit
and acat man pages.
Audit files use one of two file suffixes:
*.gz—This suffix is for files in compressed format. These files may
be decompressed using acat or showaudit. You also have the
option of using the gunzip program. (For information on using
acat or showaudit, refer to the appropriate man pages.)
*.raw—This suffix is for files in raw audit format. These are binary
formatted files that can be viewed in ASCII format using the Admin
Console (or if you prefer using the command line, via the
showaudit or acat programs).

Figure 18-3. Audit
Viewing: View Mode tab
Viewing audit information
Auditing on the Sidewinder G2
Using the Admin Console, you can view the information contained in
the /var/log/audit.raw file. The Admin Console Audit Viewing
window allows you to view audit information in real-time, or for a
specific timeframe that you select. You can also apply filters to view
specific types of audit information within a specific timeframe. To
view audit information using the Admin Console, follow the steps
below.
1. In the Admin Console, select Reports and Monitoring -> Audit Viewing. A
Login window appears.
2. Enter your username and the appropriate authentication information,
and click OK. The Audit Viewing window appears with the View Mode
tab displayed.
About the View Mode tab This tab allows you to configure the type of audit information you
want to view. You can view the audit events via the Admin Console,
or you can export the audit events to a text file for viewing or
printing. Follow the steps below.
Monitoring, Auditing, and Reporting 18-7

Auditing on the Sidewinder G2
18-8 Monitoring, Auditing, and Reporting
1. In the Select a Viewing Mode area, select one of the following:
Real Time—Select this option and go to step 3 if you want to view
streaming audit in real time.
Snapshot—Select this option and continue to step 2 if you want to
view audit messages within a specific timeframe.
Important: The Audit Data Timespan field (located in the top portion of the
Audit Data window) displays the range of audit data that is available on the
Sidewinder G2 for viewing. If you select Snapshot mode, the audit timeframe you
select must fall within this range.
2. [Conditional] If you selected Snapshot mode, specify the start and end
time for the period of audit data that you want to view, as follows:
a. Select the start and end months in the corresponding month dropdown
lists.
b. Select the start and end years in the corresponding year lists. You
can either use the up and down arrows to advance the time ahead
or back, or you can click in the field and modify it manually.
c. Select the start and end days in the corresponding calendars by
clicking on the appropriate dates.
d. Select the start and end time in the corresponding Time fields. You
can either use the up and down arrows to advance the time ahead
or back, or you can click in the field and modify it manually.
Tip: To set the start date to the earliest available date, click Start of Data. To set the
end date to the current date and time, click Now. The date and time fields will
automatically fill in the correct information.
3. In the Lines Per Page field, type the number of audit events that you
want available within each page of audit. Valid values are 1–100. For
example, if you select 50 audit events per page, you can scroll through
50 events at a time.
Note: Use the scroll bar to view all audit events within a page if needed.
4. [Conditional] If you want to set up filtering options for the audit data,
select the Filtering tab and see “Filtering audit data” on page 18-12.

Figure 18-4. Snapshot
Audit Data window
Auditing on the Sidewinder G2
5. Once you have configured the timeframe of audit events, do one of the
following:
To export the audit information to a text file that you can edit and
print, click Export and see “Exporting audit data” on page 18-11.
Note: The Export option is only available if you selected Snapshot in step 1.
To view the results of your audit query in the Audit Data window,
click View. The Audit Data window appears as a separate pop-up
window.
About the Audit Data window
This window allows you to view the audit events that you selected in
the Audit Viewing window. Each audit event appears as a single row
in the table. Use the scroll bars to view all of the information in the
table. If you selected Real-Time audit data, the table will be grayed
out and will populate with audit events as they happen in real time.
You cannot modify the table or events while real-time audit is
running.
The number of audit events you can scroll through on each page is
dependent on the Lines Per Page value you entered in the Audit
Viewing window (see page -7). For example, if you selected 50 audit
events per page, you can scroll through 50 events at a time. To move
to the next 50 events, click Next Page or Previous Page, accordingly.
When you click on an audit event in the table, the detailed audit
information for an audit event is displayed in the bottom portion of
the window (it also appears in the Info column). The following
information is displayed in the table:
Monitoring, Auditing, and Reporting 18-9

Auditing on the Sidewinder G2
18-10 Monitoring, Auditing, and Reporting
Note: Some audit types will not contain information for each table column. If a column is
blank, that information does not apply for that particular audit event.
— Time—This row lists the time at which an audit event
occurred.
— Type—This row lists the type of each audit event (for example,
cfg_change indicates that the audit event represents a
configuration change made on the Sidewinder G2).
— Service—This row lists the service type associated with an
audit event.
— Source IP—This row lists the source IP address associated with
an audit event.
— Source Burb—This row lists the source burb associated with an
audit event.
— Destination IP—This row lists the destination IP address
associated with an audit event.
— Destination Burb—This row lists the destination burb associated
with an audit event.
— Info—This row provides detailed audit information associated
with an audit event. (This information is also displayed in the
bottom portion of the window if you click on an audit event.)
Ordering the audit event table
Initially, the audit events are listed in chronological order. However,
you can filter any column of the table to re-order the results by rightclicking
on a row and selecting one of the filtering options. For
information on filtering tables, see “Admin Console conventions” on
page 2-11.
Note: To view the details of a particular audit event in the real-time audit results, you
must first click Stop to end real-time audit. This will enable the table and allow you to use
the window as you would if you were viewing a snapshot of audit events.
Important: If you click Stop when viewing audit events in real time and then click
Start, the table will be cleared and new real-time audit events will be displayed as they
happen.

Figure 18-5. Export Audit
Data window
Saving audit events
Auditing on the Sidewinder G2
To save some or all audit events listed in the Audit Viewing window,
do one of the following:
To save all of the audit events listed, click Save All. The Export
Audit Data window appears. (Click Browse to specify a location in
which to save the audit information.) To save the information click
Save (or click Save and View to save the file and launch the file for
viewing).
To save selected audit events, press and hold the Ctrl key while
clicking in the row of each audit events you want to save. When
you have highlighted all of the audit events you want to save, click
Save Selected. The Export Audit Data window appears. (Click
Browse to specify a location in which to save the audit
information.) To save the information click Save (or click Save and
View to save the file and launch the file for viewing).
Exporting audit data
To export audit data to a text file that can be viewed and printed, click
Export in the Audit Viewing window (or Save/Save and View in the
Audit Data window). A message appears warning you that the export
process may take awhile depending on the number of results you are
exporting. Click Yes to continue the Export process. The Export Audit
Data window appears. (If you want to cancel the export action, click
No.)
Tip: If you do not want the warning message to appear each time you export audit data,
select the Don’t Show Dialog Again check box.
Monitoring, Auditing, and Reporting 18-11

Auditing on the Sidewinder G2
About the Export Audit
Data window
18-12 Monitoring, Auditing, and Reporting
This window allows you to export the audit data you specified in the
Audit Viewing or Audit Data window. Follow the steps below.
1. In the Filename field, specify the file name and location for the audit
data you are exporting.
2. To specify the location where the file will be saved, click Browse and
select the desired path.
3. In the Export Format area, select one of the following:
ASCII Audit—Select this option to save the audit information in
ASCII format. This allows you to open the file using any standard
text editor, such as Notepad.
ASCII Sidewinder Export Format—Select this option if you want to
convert the data into ASCII text and export it using the Sidewinder
Export Format (SEF) tool.
4. To save the file, select one of the following:
Click Save to save the file to the specified location for later viewing.
Click Save and View to save the file to the specified location and
launch the file using a standard text editing program (such as
Notepad).
Click Close to exit the window without saving the file.
Filtering audit data
To filter the type of audit data you want to view, select the Filtering
tab in the Audit Viewing window. The Filtering tab appears.

Figure 18-6. Audit
Filtering tab
About the Audit Viewing:
Filtering tab
Auditing on the Sidewinder G2
This tab allows you to configure filters to display or exclude certain
types of audit events. Follow the steps below.
1. In the Audit Types area, select the types of audit events that you want to
view. (For a description of each pre-defined filter, see Table 18-1 on page
-14.) To select all of the filters, click Select All. To deselect all of the filters
and clear any selections are currently selected, click Deselect All.
2. In the Advanced area, you can further refine the filter(s) you selected by
specifying any of the following information:
Source Burb—Select this option to receive audit events generated
by the source burb.
Source IP—Select this option to receive audit events generated by
the source IP address.
Number of Bits—If you selected Source IP, type the number of bits
for the source IP address that you want to filter.
Destination Burb—Select this option to receive audit events
generated by the destination burb.
Destination IP—Select this option to receive audit events
generated by the destination burb.
Number of Bits—If you selected Destination IP, type the number of
bits for the destination IP address that you want to filter.
Service—Select this option and select a service from the dropdown
list to receive only audit events generated by the type of
service you specify.
Monitoring, Auditing, and Reporting 18-13

Auditing on the Sidewinder G2
Table 18-1. Pre-defined audit filters
Filter Type Description
18-14 Monitoring, Auditing, and Reporting
3. To customize the filter expression to view more specialized audit
information, select the Custom check box. For example, if you want to
view HTTP network traffic audit events for a user named Veronica, you
would type the following information in this field:
type AUDIT_T_NETTRAFFIC and service WebProxy and
username Veronica
You can also use the pre-defined filters as building blocks to create your
own custom filter. To do this, you will need to deselect the Custom
check box, select the pre-defined filters that you want to use, and then
select the Custom check box. You can then modify the filter as needed
without having to create it completely from scratch.
You cannot save a customized filter that you create in the Audit Filtering
window. However, you can create and save custom filters in the
audit_filters.conf file. Filters that you create and save in the
audit_filters.conf file will appear in the filter list when you log in to the
Audit window. You can access the audit_filters.conf file using the Admin
Console File Editor. For detailed instructions on creating custom audit
filters in the audit_filters.conf file, refer to the sacap_filter man page.
all_audit Displays all audit events contained in the audit.raw file.
attack_filter Displays audit information for detected attack attempts (that is, any suspicious
occurrence) identified by one of the services on the Sidewinder G2.
deniedauth_filter Displays audit events generated when a user attempts to authenticate and enters invalid
data.
failover_filter Displays audit information generated when a failover IP address changes on the system.
filterfail_filter Displays audit information generated when an SMTP mail message fails a configured mail
filter. For example, if a mail message failed the Key Word Search filter, a mail filter failure
event would be logged.
Note: The mail filter map configuration determines what is done with failed messages.
hardware_software_f
ail
Displays audit information generated when a recognized hardware or software
component fails.
ipsec_filter Displays audit information generated when IPSec errors exceed the configured threshold
values.
More . . .

Filter Type Description
Auditing on the Sidewinder G2
licexceed_filter Displays audit information generated when users are denied access due to a user license
cap violation.
logoverflow_filter Displays audit events generated when audit logs are close to filling the partition.
netprobe_filter Displays audit events generated when network probe attempts occur (that is, any time a
user attempts to connect or send a message to a TCP or UDP port that either has no
service associated with it or it is associated with an unsupported service).
networkacl_filter Displays audit events generated when the number of denied access attempts to services
exceeds a specified number.
powerfail_filter Displays audit events generated when an Uninterruptible Power Supply (UPS) has a power
failure and the Sidewinder G2 is running on UPS battery power.
proxyflood_filter Displays audit events generated when potential connection attack attempts are detected.
shutdown_filter Displays audit events generated when the Sidewinder G2 is shut down by a UPS that is
running out of battery power or has been on UPS battery power for the estimated battery
time.
synattack_filter Displays audit events generated when the Sidewinder G2 encounters a SYN attack.
te_filter Displays audit events generated when an unauthorized user or process that attempts to
perform an illegal operation on a file on the Sidewinder G2.
traffic_filter Displays audit events generated when the number of traffic audit events written by the
various proxies (WWW, Telnet, FTP, etc.) going through the Sidewinder G2 exceeds a
specified number in a specified time period. This information can be useful for monitoring
the use of the Sidewinder G2 services by internal users.
Note: Network traffic thresholds are reported as number of events per second, and not as
number of bytes per second.
Note: Proxy and server rules with an audit level of Errors Only will generate only a subset of
auditable events.
virusmime Displays audit events generated when a virus or denied MIME type is detected.
showaudit_aclviolati
on
Displays audit events generated by rule violations.
showaudit_error Displays audit events generated by system errors.
showaudit_nettraffic Displays audit events generated by network traffic.
Note: Proxy and server rules with an audit level of Errors Only will generate only a subset of
auditable events.
More . . .
Monitoring, Auditing, and Reporting 18-15

Auditing on the Sidewinder G2
Filter Type Description
showaudit_authfailur
e
18-16 Monitoring, Auditing, and Reporting
Displays audit events generated by each failed authentication attempt for both users or
administrators.
showaudit_netprobe Displays audit events generated by netprobe attempts.
showaudit_syslog Displays audit events generated by syslog.
showaudit_te Displays audit events generated by the Type Enforcement policy engine.
showaudit_vpn Displays audit events generated by VPN.
showaudit_conf Displays audit events generated by configuration changes (for example, database
modifications).
showaudit_not_conf Displays all audit events other than configuration changes.
Creating custom audit filters
The Custom option in the Filter By field allows you to define a custom
filter to view more specialized audit information. The basic structure
includes specifying the type (AUDIT_T_TYPE) or facility
(AUDIT_F_FACILITY) for which you want to search, followed by
additional fields to further specify the audit results. The fields are
separated by Boolean operators (and, or, not) and grouped by
parenthesis. The following examples demonstrate the basic structure
used to create custom audit filters.
Note: Table 18-2 provides a list of the available fields (for example, facility, type, service,
user, etc.) that you can use to filter your audit search.
Example 1: Filtering for login records
The following example shows the format used to display all system
login records (successful and unsuccessful):
facility AUDIT_F_LOGIN
If you want to view login records for a specific user, you would
include a username, as follows:
facility AUDIT_F_LOGIN and username Josephine

Example 2: Filtering for services and users
Auditing on the Sidewinder G2
The following example shows the format used to display http network
traffic audit records for a user named Lloyd:
type AUDIT_T_NETTRAFFIC and service WebProxy and
username Lloyd
where:
type AUDIT_T_NETTRAFFIC—This field will filter audit records for all
network traffic events.
service WebProxy—This field will filter the network traffic audit
events to include only WebProxy service records.
username Lloyd—This field will filter the WebProxy network traffic
events to include only events that are specific to actions performed
by a username of “Lloyd.”
Example 3: Filtering for specific ports and IP addresses
The following example shows the format used to display all network
probe events on port 37337 on subnet 192.168.124.0/24 originating
from burbs 3 or 4:
type AUDIT_T_NETPROBE and dst_port 37337 and dst_ip
192.168.124.0/24 and (src_burb 3 or src_burb 4)
where:
type AUDIT_T_NETPROBE—This field will filter audit records for all
network probe events.
dst_port 37337—This field will filter the network probe events to
include only records with a destination port of 37337.
dst_ip 192.168.124.0/24—This field will filter the network probe
events to include only records with a destination IP address of
192.168.124.0/24.
(src_burb 3 or src_burb 4)—This information will filter the network
probe events to include only records with a source burb of 3 or 4.
Monitoring, Auditing, and Reporting 18-17

Auditing on the Sidewinder G2
18-18 Monitoring, Auditing, and Reporting
Example 4: Excluding information in a filter
You can explicitly exclude certain types of audit information by
placing the word “not” in front of a field. For example, the custom
filter shown below will display all audit records EXCEPT network
traffic records originating for the source IP address 172.17.9.28:
not type AUDIT_T_NETTRAFFIC and src_ip 172.17.9.28
where:
Table 18-2. Custom audit filter fields
Field Description
not type AUDIT_T_NETTRAFFIC—This field will exclude any network
traffic-based audit events.
src_ip 172.17.9.28—This field will filter for all non-network traffic
audit records generated from the source address 172.17.9.28.
facility Specify an event facility code (such as AUDIT_F_LOGIN, AUDIT_F_PROXY, etc.). For a complete list of
the available facility codes, at a Sidewinder G2 prompt, enter the srole command and then enter
the following command: acat -c | more
type Specify an event type code (for example, type AUDIT_T_NETTRAFFIC). For a complete list of the
available type codes, at a Sidewinder G2 prompt, enter the srole command and then enter the
following command: acat -c | more
pid Specify the process ID of the auditing process.
pgid Specify the process group ID of the auditing process.
ruser Specify the real user ID of the auditing process.
euser Specify the effective user ID of the auditing process.
username Specify a user name.
src_ip Specify the source IP address using the dotted decimal IP version 4 notation, with optional mask bits
separated by a slash (/).
dst_ip Specify the destination IP address using the dotted decimal IP version 4 notation, with optional mask
bits separated by a slash (/).
src_port Specify the TCP or UDP source port.
dst_port Specify the TCP or UDP destination port.
More . . .

Field Description
src_burb Specify the destination burb number.
dst_burb Specify the destination burb number.
service Specify the type of service (for example, Telnet, FTP, WebProxy, etc.).
Understanding audit messages
Auditing on the Sidewinder G2
vpn_l_gw Specify a VPN local gateway using the standard dotted decimal IP version 4 notation with optional
mask bits separated by a slash (/).
vpn_r_gw Specify a VPN remote gateway using the dotted decimal IP version 4 notation with optional mask
bits separated by a slash (/).
When viewing audit messages in the Admin Console, the form may
vary depending on the purpose and content of the message. The form
of the first two lines is the same for all audit messages, and provides
general information about the process generating or causing the audit.
The third line will vary, but usually includes Type Enforcement
information and possibly some additional information. The other lines
of an audit message will vary depending on the type of audit
message.
Important: To view audit message files, see “Viewing audit information” on page 18-7.
Sample audit message
The message below is an example of a Type Enforcement audit
message (using the te_filter filter). The first three lines of this format
applies to all audit message types except netprobes and attack events.
Jan 10 14:56:58 2004 f_kernel a_rover t_ddtviolation
p_major
pid: 5398 ruid: 101 euid: 101 pgid: 5398 fid: 1005379
cmd:‘grep’
domain: User edomain: User
permwanted: 1 permgranted: 0 srcdmn: User filedom: Kern
filetyp: stup
file: ufs_access: rc.local perm wanted: 0x1 perm
granted: 0x0
Monitoring, Auditing, and Reporting 18-19

Auditing on the Sidewinder G2
18-20 Monitoring, Auditing, and Reporting
Line 1: This line lists the date and time, the facility that audited the
message (such as the Kernel, FTP or Telnet), the location, known
as the area), in the facility that audited the message (such as
general area or Sidewinder G2 library), the type of audit message
(such as Domain Definition Table Type Enforcement violation or
access control list) and the priority of the message (such as major
or minor).
Note: Network probe attempts do not contain lines two or three.
Line 2: This line lists the process ID, the real user ID, the effective
user ID, the process group ID, the process family ID (Sidewinder
G2-specific) and the command associated with the process ID.
Line 3: This line lists the real domain the process is running in and
the effective domain (the domain that the process for which
permission is given).
Lines 4 and 5: These lines provide eight pieces of data. The fourth
line, which always begins with “permwanted,” contains the integer
representation of the permissions requested by the process and
granted to the process, the domain of the requesting process, and
the type of file that the process is requesting access to. The fifth
line contains the filename and the permissions wanted and granted
for the file.
In general, the data in an audit message is a tag name followed by a
colon and the value of the tag. Table 18-3 contains examples and
descriptions of some of the tags used in audit messages that appear in
the audit results window.

Logging
application
messages using
Syslog
Table 18-3. Audit data field examples
Name Type Description
Logging application messages using Syslog
srcip 32 bit_integer source IP address
dstip 32 bit_integer destination IP address
srcport 16 bit_integer source port number
srcservice string source service name (/etc/services)
dstport 16 bit_integer destination port number
dstservice string destination service name
(/etc/services)
srcburb 32 bit_integer source burb number
dstburb 32 bit_integer destination burb number
bytes_written
_to_client
bytes_written
_to_server
64 bit_integer number of bytes sent to a client
64 bit_integer number of bytes sent to a server
netsessid 64 bit_integer a network traffic session ID
srchostname string source host name
dsthostname string destination host name
The Sidewinder G2 uses the UNIX syslog facility to log messages
sent by programs running on the system. These messages can be
useful in tracking down unauthorized system users or in analyzing
hardware or software problems. All syslog data is stored in the
Sidewinder G2’s audit log files.
Logging is set up to be handled automatically on the Sidewinder G2.
As an administrator, you will not need to intervene unless you want to
change options, such as where log files are stored. Listed below are
some basic points about syslog and how it works on the Sidewinder
G2.
Note: Secure Computing recommends that you edit these files only if you are an
experienced UNIX administrator.
Monitoring, Auditing, and Reporting 18-21

Logging application messages using Syslog
18-22 Monitoring, Auditing, and Reporting
syslog runs as a daemon process called syslogd.
Each application determines whether it will use syslog and the
types of messages that will be generated. Normally, applications
generate messages of different severity levels, such as
informational and critical.
The syslog configuration file, /etc/syslog.conf, specifies what
syslogd should do with messages that are sent to it. You can
specify what should be done with each type of message. For
example, you might choose to discard informational messages and
store more important messages in a file. In addition, you can
choose to send messages that may require immediate attention
directly to a specific user’s screen or to send output to a different
system on the network. You can edit the configuration file if you
want to handle messages differently or send files to different
locations. See the next section and the syslog.conf man page for
details.
Hackers will often try to edit syslog files to cover any evidence of
their break-ins. The Sidewinder G2 uses Type Enforcement to
protect the syslog files from being modified by unauthorized
users.
A copy of the syslog data is sent to the Sidewinder G2 audit log
files.
The log files generated by syslogd can get large and start using a
lot of hard disk space. To solve this problem, the log files on the
Sidewinder G2 are periodically rotated. See “Understanding
automatic (cron) jobs” on page A-15 for more information on file
rotation.
Redirecting audit output
Important: While it is permitted to redirect your audit output, it is not recommended.
This is because all syslog data on the Sidewinder G2 is automatically sent to the audit
file.
If, after weighing all the options, you determine that you do want to
send audit output to the syslog facility, you need to edit the
following files:
/etc/syslog.conf
/etc/sidewinder/auditd.conf

Generating and
viewing reports
using the Admin
Console
Generating and viewing reports using the Admin Console
You might choose to do this if you want one file to contain all logging
information or if you want to send audit data to another host system
on your network.
Viewing syslog messages
To view syslog messages, display the following files.
/var/log/messages
/var/log/daemon.log
The following illustrates sample Logfile Messages.
Mar 25 14:05:41 MyFirewall kernel: ef0: interfaces:
AUI, 10Base2
Mar 25 14:05:41 MyFirewall kernel: ef0: rxf=5119
txf=3068
Mar 25 14:05:41 MyFirewall kernel: ef1 at isa0 iobase
0x300
Mar 25 14:05:41 MyFirewall kernel: ef1: 3C509-COMBO,
Important: If you receive a message “Response from unexpected source” it usually
indicates name service responses sent by multihomed servers. Some multihomed servers
select the wrong source IP address when sending the response. When the Sidewinder G2
receives the response, it ignores it and logs a message in /var/log/messages. The example
below displays what you would see in the syslog when this happens.
Aug 31 12:57:56 shore named (1) [85]: Response
from unexpected source ([192.55.214.1].53)
Aug 31 12:57:57 shore named (1) [85]: Response
from unexpected source ([199.199.125.108].53)
Aug 31 13:03:51 shore named (1) [85]: Response
from unexpected source ([204.52.248.130].53)
The Sidewinder G2 Reports window in the Admin Console allows you
to generate commonly used reports based on pre-defined report
formats, such as administrative user connections, network probe
attempts, traffic information, and active rule (ACL) usage to name a
few.
Monitoring, Auditing, and Reporting 18-23

Generating and viewing reports using the Admin Console
18-24 Monitoring, Auditing, and Reporting
The report information that is displayed is pulled from the audit
database. When audit events are generated, information relevant to
each event (such as a date and time, process identification
information, user identity, and address information) is automatically
appended to the audit information to help an administrator identify
and categorize the audit data that is stored. If the report is comprised
of numerous areas, the information in the report is appropriately
categorized for ease of viewing.
For example, if you run the traffic report, you will receive a summary
of the various types of proxy traffic as follows: service, source host,
destination, and user. If you want to view only traffic generated by
users, you could instead run the user_traffic report to view only a
summary of all user traffic.
You can further refine your results by running the user_activity report
and specify a single user whose activity you want to view. When you
run the user_activity report, you will receive a detailed report of all of
that user’s system activity, organized into sections (such as general
traffic, root access attempts, rule violations, and so on). The
information contained in a report will depend on the timeframe you
specify.
Note: To view reports using a command line interface, see the cf_reports man page.
To generate reports using the Admin Console, follow the steps below.
Important: You must enable the auditdbd server before you can generate reports. See
“Enabling and disabling servers” on page 3-30 for information on enabling the auditdbd
server.
1. In the Admin Console, select Reports and Monitoring -> Reports. A login
window appears.
2. Enter your user name and authentication information, and then click
OK. The main Reports window appears.

Figure 18-7. Firewall
Reports window
Generating and viewing reports using the Admin Console
About the Reports window In this window you can generate commonly used reports based on a
pre-defined report template. Follow the steps below.
1. In the Report Period field, select the time frame for which you want to
run a report.
2. Highlight the report you want to run by clicking on the appropriate
table row. (For a description of each report, see Table 18-4 on page -26.)
Tip: You can create custom reports using the cf_reports tool. Any reports you create
using the cf_reports tool will appear in the Report list the next time you log in to the
Reports window. For information on creating custom reports, refer to the cf_reports man
page.
3. If you want the report to resolve any IP addresses, select the Resolve IP
Addresses check box.
4. [Conditional] If you are running a host or user activity report, you will
need to enter information in the Template Parameter field as follows:
Host Activity—When you highlight the Host Activity report, the
Template Parameter area will become available. In the Host field,
enter the host name or IP address that will be used to generate the
report.
User Activity—When you highlight the User Activity report, the
Template Parameter area will become available. In the User Name
field, enter the name of the user that will be used to generate the
report.
Monitoring, Auditing, and Reporting 18-25

Generating and viewing reports using the Admin Console
Figure 18-8. Show Report
window
Table 18-4. Available reports
Report Type Description
18-26 Monitoring, Auditing, and Reporting
5. Click Run Report. The report results will be displayed in a separate Show
Report window.
Note: The reports that you generate in this window are view-only. You are not able
to save or print these reports. If you need to save or print your reports, you will need to
generate them using the command line interface. See the cf_reports man page for
details.
acl_usage This report summarizes proxy rule usage on the system. You can use this report to determine
which proxy rules are being used most frequently.:
dest_traffic This report lists proxy information on the destination hosts that the Sidewinder G2 connected
to, sorted by the number of bytes transferred. The report lists the destination host, the service
used, the number of kB transferred, and the number of connections that were made.
Note: This report is automatically generated and e-mailed on a daily basis to the Sidewinder G2
administrator. See “Viewing administrator mail messages on Sidewinder G2” on page 11-6 in
Chapter 9 for information on viewing this e-mail.
host_activity This report lists information about a specific host’s activity on the system. This report provides a
section for the traffic generated, root access attempts, services denied, and user database
actions involving the specified user.
More . . .

Report Type Description
Generating and viewing reports using the Admin Console
host_traffic This report produces proxy information for source host systems on internal and external
networks. You might use this data for tracking which systems have the heaviest traffic going to
and from the Sidewinder G2. The report lists the source host, the number of kB sent to the
server, the number of kB sent to the client, the total number of kB, and the number of
connections that were made.
Note: This report is automatically generated and e-mailed on a daily basis to the Sidewinder G2
administrator. See “Viewing administrator mail messages on Sidewinder G2” on page 11-6 for
information on viewing this e-mail.
http_virus This report provides information on Web viruses that are detected by the Sidewinder G2. The
report includes virus frequency, hits by source address, and detected Web viruses.
ipf_dest_traffic This report lists IP Filter information on the destination host traffic that the Sidewinder G2
connected to, sorted by the number of bytes transferred. The report lists the destination host,
the service used, the number of kB transferred, and the number of connections that were
made.
ipf_host_traffic This report produces IP Filter information for source host traffic on internal and external
networks. You might use this data for tracking which systems have the heaviest traffic going to
and from the Sidewinder G2. The report lists the source host, the number of kB sent to the
server, the number of kB sent to the client, the total number of kB, and the number of
connections that were made.
ipf_port_traffic This report lists on IP Filter traffic port information that occurred over a specific period of time.
The report lists each service, the number of kB sent to the server, the number of kB sent to the
client, the total number of kB, and the number of connections that were made. When a service
uses a non-standard port (for example, 8000 or 8010), the service’s port number will also
appear in the Service column.
ipf_traffic This report provides a summary of the IP Filter port, host, and destination reports.
mail_virus This report provides information on mail viruses that are detected by the Sidewinder G2. The
report includes virus frequency, hits by source, and detected mail viruses.
performance This report summarizes utilization information (based on one hour increments) for CPU
percentage and load average, as well as real, virtual, and mbuf memory usage.
More . . .
Monitoring, Auditing, and Reporting 18-27

Generating and viewing reports using the Admin Console
Report Type Description
probes_attempted This report lists information about attempts made to connect or send a message to a
Sidewinder G2 port that either has no service associated with it or is associated with an
unsupported service. This report contains a section for probes received in each burb on the
system. The report lists where the probe originated from and how many probes occurred. The
output of this report will be similar to the following:
For each burb, the above report lists the time of the report, the interval covered by the report,
the source host, destination host, destination port, and the number of probes generated by
this source/destination host pair. Up to five destination port values are displayed.
Depending on how you have set up your auditing configuration, you may have already been
notified of these probe attempts. If you were not notified, you may want to change your
auditing options as described in Chapter 16.
Note: This report is automatically generated and e-mailed on a daily basis to the Sidewinder G2
administrator. See “Viewing administrator mail messages on Sidewinder G2” on page 11-6 for
information on viewing this e-mail.
root_accesses This report contains a list of root access attempts by users who used the srole command to
change roles. This report lists the date that the root access attempts occurred, the service
(srole), the result of the attempt, which domain the user tried to srole to, and who the
user was. This report is generated daily.
service_denied This report lists instances when users were denied access to a service because of the
restrictions you set up in your active rules (also referred to as the Access Control List, or ACL).
The report lists the source and destination hosts, the user, the service that was denied, and the
total number of times a check was made. The meaning of these events depends on several
factors, including your site’s security policies. The report could indicate that an internal user is
trying to access an unauthorized system on the Internet. It might also indicate a service that
internal users need, and you may want to consider making it available.
Note: This report is automatically generated and e-mailed on a daily basis to the Sidewinder G2
administrator. See “Viewing administrator mail messages on Sidewinder G2” on page 11-6 for
information on viewing this e-mail.
service_traffic This report lists proxy information on how often Internet services were used during a specific
period of time. You can use this information to gauge how heavily your Sidewinder G2 is being
used.
The report lists each service, the number of kB sent to the server, the number of kB sent to the
client, the total number of kB, and the number of connections that were made. When a service
uses a non-standard port (for example, 8000 or 8010), the service’s port number will also
appear in the Service column.
Note: This report is automatically generated and e-mailed on a daily basis to the Sidewinder G2
administrator. See “Viewing administrator mail messages on Sidewinder G2” on page 11-6 for
information on viewing this e-mail.
18-28 Monitoring, Auditing, and Reporting
More . . .

Report Type Description
Generating and viewing reports using the Admin Console
traffic This report lists information about a specific host’s activity while using the system. This report
provides a section for the traffic generated, services denied, and probes generated by the host
that was specified.
udb_action This report, made up of two sections, shows the actions performed on the Sidewinder G2’s
user database. One section of the report shows the actions performed on the system
components of the user database. The other section of the report shows the actions
performed on user components of the user database.
The user database report lists the date the action occurred, which user it affects, what action
was made to the database (either an addition, a deletion, or a modification) what type of data,
or class, received the action, and which administrator changed the data.
user_activity This report lists information about a specific user’s activity on the system. This report provides a
section for the traffic generated, root access attempts, services denied, and user database
actions involving the specified user.
(Add info. about specifying field in window)
user_traffic This report lists which Internet services are being used and sorts it by the user’s name. You can
use this information to gauge how heavily your Sidewinder G2 is being used.
The report lists each user’s name for each service he/she used on the Sidewinder G2.
Information on users is available only when they authenticate through the Sidewinder G2
services. A user name of “(null)” is used for traffic that is not authenticated. The report also lists
the number of kB read by each user, the number of kB written by each user, the total number
of kB transferred, and the number of connections for each user.
Note: This report is automatically generated and e-mailed on a daily basis to the Sidewinder G2
administrator. See “Viewing administrator mail messages on Sidewinder G2” on page 11-6 for
information on viewing this e-mail.
vpn_traffic This report provides information on each VPN connection established on the Sidewinder G2.
This report lists identifying information, gateways, kBytes transferred, and the number of
connections made for each VPN.
Monitoring, Auditing, and Reporting 18-29

Viewing auto-generated reports
Viewing autogenerated
reports
Table 18-5. Auto-generated report
Auto-generated report Description
Generating
exportable
reports
18-30 Monitoring, Auditing, and Reporting
This section describes a variety of automatically generated reports you
can view.
daily system activity This report provides a summary of the /etc/daily script that is automatically run on the
Sidewinder G2 every 24 hours. See “Understanding automatic (cron) jobs” on page A-15
for more information on this script and what it does. The report is compiled from the
/var/log/daily.out file, which is generated each time the script is run.
weekly system activity This report provides a summary of the /etc/weekly script that is automatically run on the
Sidewinder G2 every week. See “Understanding automatic (cron) jobs” on page A-15 for
more information on this script and what it does. The report is compiled from the
/var/log/weekly.out file, which is generated each time the script is run.
monthly system activity This report provides a summary of the /etc/monthly script that is automatically run on the
Sidewinder G2 every month. See “Understanding automatic (cron) jobs” on page A-15 for
more information on this script and what it does. The report is compiled from the /var/
log/monthly.out file, which is generated each time the script is run.
The Sidewinder G2 allows you to create exportable data files from the
report data your site generates. This allows you to transfer files from
the Sidewinder G2, and load them into a database or spreadsheet
application. You can export data via FTP, e-mail, a diskette, or a DAT.
The report data that you can export from the Sidewinder G2 is located
in the /var/log/export_data directory unless you specify otherwise.
The exportable files include:
probe_attempt
acl_denied
traffic
root_access
udb_action
Note: These data files have dates added to them that correspond to the dates the files
were created. Each file contains exportable Sidewinder G2 audit data that corresponds to
what is summarized in the respective Sidewinder G2 reports.
Enter the following commands at the UNIX prompt to generate
exportable data files:

Using third party
reporting tools
Using third party reporting tools
To create an exportable file in /var/log/export_data based on the
previous day’s audit information:
/usr/sbin/gen_reports -e -r all
This generates all reports in separate files.
To create an exportable file in /var/log/export_data based on the
latest (current) traffic audit information:
/usr/sbin/gen_reports -f filename -r traffic
This generates all traffic reports in separate files with the specified
filename added to the front instead of the cf reports timestamp.
The Sidewinder G2 provides you with the option to use third party
reporting tools to format and display audit data. These tools enable
you to use the audit data collected by the Sidewinder G2 to create
easy-to-read informational reports that illustrate how your network is
being used. The current formatting tools that are supported by the
Sidewinder G2 are:
Sidewinder Export Format (SEF): To convert your Sidewinder G2 audit
logs into ASCII format using SEF, refer to the Sidewinder Export
Format document located at:
http://www.securecomputing.com/index.cfm?sKey=842
WebTrends Extended Logging Format (WELF): To convert your
Sidewinder G2 audit logs into ASCII format using WELF, you can
use the
cf export command. See the following section for more
information on using cf export.
Note: You can also use the acat tool to convert files using WELF. See the acat man page
for information.
Formatting & exporting audit data for use with external
tools
To generate reports based on the Sidewinder G2 log files, you must
format the Sidewinder G2 audit data and then export those files to the
workstation or host that contains the software needed to generate log
reports (for example, WebTrends). You can then generate the
Sidewinder G2 log reports on that machine.
Monitoring, Auditing, and Reporting 18-31

Using third party reporting tools
18-32 Monitoring, Auditing, and Reporting
You initiate the formatting and exporting process on the Sidewinder
G2 using the Sidewinder export utility (cf export) or the acat
utility. The
cf export utility allows you to format raw audit data collected by the
Sidewinder G2 into SEF, WELF, Squid, or generic (gen) files and
export those files to a destination host you specify. This utility can
also be used to create a cron job that automatically initiates an FTP
export program once every 24 hours. The FTP export program uses
FTP to transfer the export files from the Sidewinder G2 to the host
you specify. The host can be on a trusted network protected by the
Sidewinder G2, or it can be a host that resides somewhere on the
Internet.
Note: For more information on using the cf export utility, see the cf_export man page.
For more information on using the acat utility, see the acat man page.
To format and export Sidewinder G2 audit data using cf export,
follow the steps below.
1. Log in to the Sidewinder G2 and type the following command to switch
to the admn role.
srole
Note: If you are a read-only administrator, enter srole adminro to change to the
AdRO domain.
2. To configure the export utility, enter the following command.
cf export add type=file_type name=entry_name
host=hostname user=username password=password
targetdir=destination localdir=local_file_path
where:
type=the type of file you want to export (sef, wt, squid, or gen)
name=the name you want to apply to this configuration entry
host=the host name or IP address to which you are exporting the
files.
user=the user name that will be used for FTP authentication
password=the password that will be used for FTP authentication to
the destination host.
targetdir=the directory on the destination host on which you want
the export files placed
localdir=(generic files only) the location of the generic file

Using third party reporting tools
3. To export all files that are currently configured and ready to be
exported, enter the following command:
cf export ftp
Note: To export everything, you can just enter cf export all.
4. To enable a cron job to automatically determine which configured
export files need to be exported, and format and export those files once
every 24 hours (at 2:20 a.m. in most cases), enter the following
command:
cf export enable
To disable the automatic cron job process, enter the following
command:
cf export disable
Sample WebTrends report
Figure 18-9. Sample Sidewinder G2 report using WebTrends
Importing the Sidewinder G2 audit data into WebTrends allows you to
produce a number of different reports that describe how your the
Sidewinder G2 is being used. For example, the reports can help you
account for network expenses, determine network usage, and isolate
people in your organization who are abusing general network
policies.
Figure 18-9 illustrates the type report you can create using
WebTrends.
Incoming Protocol Usage
Protocol # of events % of total events kilobytes (kB)
1 http 4245 92.68 33,153
2 ftp 35 0.76 6,049
3 ftp-data 23 0.5 2,233
4 telnet 6 0.13 90
5 smtp 20 0.43 41
6 110/tcp 13 0.28 3
7 other 238 5.19 0
Total 4580 100 41,573
Monitoring, Auditing, and Reporting 18-33

Using third party reporting tools
18-34 Monitoring, Auditing, and Reporting

A
A PPENDIX A
Command Line Reference
About this appendix This appendix summarizes the cf (configurator) command and
provides a summary of the cf command areas that are available for
use. It also includes information on using UNIX commands and
working with UNIX files on the Sidewinder G2.
This appendix includes the following topics:
“Overview of cf” on page A-1
“Summary of cf structure” on page A-2
“Working with files on the Sidewinder G2” on page A-10
“Understanding automatic (cron) jobs” on page A-15
Overview of cf The cf (configurator) command makes it possible for you to
configure various Sidewinder G2 areas (rules, burbs, DNS, etc.)
directly from the UNIX command line. You can use the cf command
as an alternative to the Admin Console (the Sidewinder G2’s graphical
user interface) for performing most system administration tasks.
There are several situations when you may want to use the cf
command interface instead of the Admin Console to perform
configuration activities. With cf, you can automate repetitive
configuration tasks (for example, adding many similar rules) by using
scripts. Also, cf is useful under circumstances when the Admin
Console cannot be used, such as performing Sidewinder G2
configuration from a text-only terminal. A final benefit of cf is that it
provides a quick and easy way to see how a certain area of your
Sidewinder G2 is currently configured.
Note: cf commands should be run in the Operational kernel (most cf commands will
not function properly in the Administrative kernel).
A
Command Line Reference A-1

A
Summary of cf structure
Summary of cf
structure
Table A-1. Summary of cf structure
A-2 Command Line Reference
The following table summarizes the structure of cf, showing the
primary commands available for each area. This table does not show
the keywords available for each Sidewinder G2 area.
The online manual entry (man page) for cf provides a full description
of all areas available in the cf command and the keywords/options
associated with each area.
To display the man page listing for the cf command, enter:
man cf
To display the man page listing for a specific cf area, enter:
man cf_areaname
For example, man cf_acl or man cf_interface.
Sidewinder G2 area Commands Area Description
acl add
delete
export
flushcache
modify
purge
query
repair restore_console_access
set
adminuser add
delete
modify
set
query
antivirus add
delete
disable
enable
modify
query
set
Use this area to maintain rules on the Sidewinder G2.
Use this area to configure the Sidewinder G2 administrator
database.
Use this area to configure the anti-virus scan engine and
the Sidewinder G2’s scanner service.
More . . .

Sidewinder G2 area Commands Area Description
appfilter add
delete
modify
purge
set
query
audit add
delete
disable
enable
modify
query
listdb
set
burb set
add
modify
start
query
verify
cert add
addsslcert
delete
getcert
getkey
getcrl
modify
updatedbs
view
query
cfg add
delete
modify
query
cmd set
query
config backup
delete
list
query
restore
set
Summary of cf structure
Use this area to configure Application Defenses on the
Sidewinder G2.
Use this area to configure audit, including auditbot, e-mail,
pager, filter and strikeback options.
Use this area to configure the Sidewinder G2 burbs and
hostname.
Use this area to configure all VPN certificate entries used by
the Sidewinder G2.
Use this area to define custom attributes for your
configuration files.
Use this area to configure the Sidewinder G2 certificate
management daemon.
Use this area to configure the Sidewinder G2 configuration
backup and restore process. (Backs up/restores the
configuration files, not the hard disk.)
More . . .
Command Line Reference A-3

Summary of cf structure
Sidewinder G2 area Commands Area Description
crontab set
query
daemond query
set
dns add
delete
dumpdb
notrace
query
querylog
reload
set
status
stats
trace
entrelayd reload
status
export add
all
delete
disable
enable
ftp
modify
query
webtrends
failover add
delete
query
reload
reset
restart
set
start
status
stop
gated set
add
modify
delete
validate
query
A-4 Command Line Reference
Use this area to configure the SmartFilter and package
crontab entries.
Use this area to configure daemond.
Use this area to configure DNS on your Sidewinder G2.
Use this area to configure and manage the entrelayd server.
Use this area to configure the export utility.
Use this area to configure the failover (High Availability)
service on the Sidewinder G2.
Use this area to configure the gated daemon.
More . . .

Sidewinder G2 area Commands Area Description
ikmpd set
query
interface add
modify
delete
detect
up
down
set
status
swap
query
update
ipfilter add
delete
export
modify
purge
query
reload
set
stop
ipsec add
delete
keydump
modify
policydump
query
reload
status
lca add
modify
delete
query
list
revoke
gencrl
getcrl
getcacert
gencert
Summary of cf structure
Configure global settings for the ISAKMP daemon.
Use this area to configure the Sidewinder G2 network
interfaces.
Use this area to configure IP filtering for the Sidewinder G2.
Use this area to configure IPSec parameters.
Use this area to configure the local (on-box) certification
authority.
More . . .
Command Line Reference A-5

Summary of cf structure
Sidewinder G2 area Commands Area Description
ldap add
delete
modify
query
set
license check
features
firewallID
get
host
read
set
query
msnt add
delete
modify
set
query
mvm import
query
nss enable
disable
modify
query
ntp add
config
delete
modify
enable
disable
set
restart
query
A-6 Command Line Reference
Use this area to configure LDAP authentication for the
Sidewinder G2.
Use this area to license this Sidewinder G2 and any
premium features.
Use this area to configure Microsoft NT authentication
servers.
Use this area to configure multi-version management.
Use this area to configure the NSS, which controls access to
all of the transparent and non-transparent proxies, as well
as enable/disable some servers.
Use this area to configure network time protocol (NTP).
More . . .

Sidewinder G2 area Commands Area Description
package backup
check
contents
description
download
errors
install
list
load_cdrom
load_floppy
log
query
readme
set
verify
password expire
set
query
pool add
delete
modify
query
proxy add
create
delete
destroy
disable
enable
help
modify
query
set
radius add
delete
modify
set
query
Summary of cf structure
Use this area to configure the package download system.
This is used for loading patches.
Use this area to configure the reusable password
authentication method.
Use this area to create and modify client address and entry
pools.
Use this area to configure Sidewinder G2 proxies.
Use this area to configure RADIUS authentication for the
Sidewinder G2.
More . . .
Command Line Reference A-7

Summary of cf structure
Sidewinder G2 area Commands Area Description
reports add_query
add_report
delete_query
delete_report
modify_query
modify_report
query
run_report
show_tables
show_aggregates
show_databases
show_groups
show_columns
routed add
delete
query
restart
set
start
stop
safeword add
delete
modify
query
securid install
query
sendmail flush
rebuild
server enable
disable
status
restart
reload
query
smartfilter download
set
query
version
A-8 Command Line Reference
Use this area to define, store, and run audit reports.
Use this area to configure RIP processing on the Sidewinder
G2.
Use this area to configure SafeWord authentication for the
Sidewinder G2.
Use this area to configure the reusable SecurID
authentication method.
Use this area to rebuild the sendmail database files.
Use this area to administer servers. This includes displaying
status, enabling/disabling, and restarting/reloading
servers. Configuration of an individual server is done in its
own area (acl, httpd, nss, ntp, snmp, udpproxy).
Use this area to configure SmartFilter.
More . . .

Sidewinder G2 area Commands Area Description
snk backup-dss
delete
primary-dss
query
set
snmp add
delete
modify
query
restart
set
start
stop
usr2
Summary of cf structure
Use this area to configure the reusable SecureNet Key (snk)
authentication method.
Use this area to configure simple network management
protocol (SNMP).
sshd start Use this area to start the secure shell daemon (sshd)
ssl query
set
sso delete
list
set
query
swede breaklock
repair
override
syncd add
delete
query
set
start
stop
udb add
delete
modify
purge
query
ups query
set
Use this area to configure the Sidewinder G2 SSL
certificates.
Use this area to configure single sign-on authentication.
Use this area to configure the Sidewinder enterprise
database engine.
Use this area to configure the Sidewinder G2
synchronization feature.
Use this area to manage the authentication user database.
Use this area to configure the use of an uninterruptible
power supply with the Sidewinder G2.
More . . .
Command Line Reference A-9

Working with files on the Sidewinder G2
Sidewinder G2 area Commands Area Description
warders clearauthfailures
listauthfailures
query
set
www add
delete
set
restart
status
reconfigure
rotate
query
Working with files
on the Sidewinder
G2
A-10 Command Line Reference
The File Editor is an easy-to-use text editor that is available directly
from the Admin Console. The File Editor simplifies the editing
process, enabling you to perform virtually every necessary editing
task from the Admin Console instead of command line. The File
Editor also provides some additional conveniences such as unique file
backup and restore features. Refer to “Using the Admin Console File
Editor” on page 2-12 for details.
Note: The Sidewinder G2 also supports typical UNIX editors for you to use, including vi,
emacs, and pico.
Important: The pico -w parameter disables word wrapping on lines that contain up to
256 characters. If you do not include the -w parameter, pico will insert hard carriage
returns after about the 80th column of each line that exceeds 80 columns. This corrupts
certain system files, such as the .conf files. Therefore, when you enter the pico command,
be sure to include the -w parameter. However, be aware that certain files may contain
lines over 256 characters and even using the -w parameter will not prevent word
wrapping.
Changing your default editor
By default, the Sidewinder G2 uses the vi text editor. However, the
Sidewinder G2 also supports the emacs and pico editors.
You can change your default editor by following these steps:
1. Log in at a Sidewinder G2 command prompt.
2. Open the .cshrc file in an editor and locate the line that reads as follows:
setenv EDITOR editorname
Use this area to configure Sidewinder G2 authentication
servers.
Use this area to configure the Web proxy on the Sidewinder
G2.

Working with files on the Sidewinder G2
3. Replace the name of the current editor with the name of the one you
want to use.
For example, you might replace vi with emacs.
4. Save the .cshrc file and quit the editor.
The next time you log in, your default editor will be the one you
specified in the .cshrc file.
5. Type the following command at the system prompt to make the
change effective in the current shell:
source .cshrc
About editing Sidewinder G2 files
UNIX files are not protected against simultaneous editing by two
individuals. For this reason, an administrator should take care not to
make changes to a file when another administrator is working on it. In
the UNIX world, whoever writes the file last usually prevails. In some
cases, file corruption occurs.
For example, if an administrator is editing the server.conf
configuration file using the Admin Console, while someone else is
using a text editor to change that file, there may be undesirable
results. If two people try editing the same file using either vi or emacs,
however, the editor will warn the users about the situation.
Also, when editing the Sidewinder G2 configuration files (server.conf,
roles.conf, etc.), be aware of the use of special characters that are
used to format commands within these files. Special characters
include double quotes, single quotes, brackets ([ ]), the pound symbol
(#), and parenthesis ( ). Inadvertently placing special characters in the
Sidewinder G2 configuration files will make the files unreadable to
the Sidewinder G2. Enter man sidewinder.conf at Sidewinder G2
command prompt for details.
Important: Save any scripts you create for the Sidewinder G2 in the /usr/local/bin
directory. If you ever need to upgrade your Sidewinder G2 software, Secure Computing’s
upgrade procedure will automatically save any scripts that reside in that directory.
Command Line Reference A-11

Working with files on the Sidewinder G2
A-12 Command Line Reference
Checking file and directory permissions (ls)
As described in Chapter 2, Type Enforcement restricts users to certain
roles and restricts domains to certain files. Under standard UNIX, files
and directories use access controls. Whether you can read, write, or
execute a file depends on the groups you belong to and the
permissions set on the file. If you try accessing a Sidewinder G2 file
and are denied, even though the UNIX file permissions indicate that
you have access, Type Enforcement may be preventing access.
Checking file types
To check Type Enforcement file types, enter the following command:
/bin/ls -aly filename
You will see output similar to the following:
Admn:file filename
Checking directory types
File Name
File Type (such as exec, file, conf, util, diry)
Creating Domain
To check Type Enforcement directory types, enter the following
command:
/bin/ls -dy directory_name
You will see output similar to the following:
$Sys:diry directory_name
$Sys indicates that the directory was created in the $Sys domain. This
is a domain used by the operating system for various tasks.

Changing a file’s type (chtype)
Working with files on the Sidewinder G2
Use the chtype command to change a file’s type. Normally, you will
be in the Administrative kernel when changing a file’s type. It is
always possible to change a file’s type in the Administrative kernel
rather than the Operational kernel because the Administrative kernel
does not use Type Enforcement. The Operational kernel uses Type
Enforcement, which may prevent you from changing a file’s type.
There may, however, be situations where it would be convenient to
change a file’s domain while in the Operational kernel without having
to boot to the Administrative kernel. The following procedures
describe how to change a file’s type from either the Administrative or
the Operational kernel.
Changing file types in the administrative kernel
To change a file’s type in the Administrative kernel, follow the steps
below.
1. Attach a keyboard and monitor directly to your Sidewinder G2 system.
Note: If your system has multiple keyboard/monitor connection ports, you must
attach the keyboard and monitor into the same keyboard/monitor connection port
pair (that is, attach both items to the front connection ports or both in the back
connection ports).
2. Enter the following command at the UNIX prompt:
chtype domain:type filename
For example, entering the command:
chtype Admn:exec myprogram
changes the domain and type for the myprogram file to Admn:exec.
Changing file types in the operational kernel
To change a file’s type in the Operational kernel, follow these steps:
1. At a Sidewinder G2 command prompt, log in and enter the following
command to switch to the Admn role.
srole
2. Copy the file you want to change.
cp file1 newfile
Command Line Reference A-13

Working with files on the Sidewinder G2
A-14 Command Line Reference
3. Delete the original file.
rm file1
4. Change the new file to the target domain and/or file type.
chtype domain:filetype newfile
5. Rename the file.
mv newfile file1
Auditing the use of chtype commands
The Sidewinder G2 audits each failed occurrence of a chtype
command. However, you can also audit successful chtype events.
Use the following commands to enable or disable the auditing of
successful chtype commands.
To enable auditing of successful chtype commands, enter the
following command:
sysctl -w kern.auditchtype=1
To disable auditing of successful chtype commands, enter the
following command:
sysctl -w kern.auditchtype=0
Note: Whether you enable or disable auditing of successful chtype events, failed
chtype events are always audited.
Creating your own scripts
While operating in either the User or Admn domains, you can create
your own scripts for use on the Sidewinder G2. Scripts created in the
User domain will be executable by the Admn and User domain but no
other domain. Scripts created in the Admn domain will not be
executable by anyone until the type is changed to Admn:scrp using
the chtype command.

Understanding
automatic (cron)
jobs
Understanding automatic (cron) jobs
The Sidewinder G2 contains jobs that perform routine maintenance
tasks such as rotating files and cleaning out old files. These jobs are
run by the cron daemon, which reads its configuration file (/etc/
crontab) to determine which jobs to run and when to run them.
The following summarizes each automatic cron job on the Sidewinder
G2.
/etc/daily
When enabled, this job runs at 2:00 a.m. each day and performs the
following tasks:
Tells the operator which file systems need rotating.
Prints a summary of mail messages to be sent.
Prints a status of the mounted file systems.
Reports on system security by checking if files such as password
files have changed.
Runs daily.local. (This allows you to remove miscellaneous old or
junk files from directories such as /usr and /var/tmp (however, you
must first uncomment the appropriate cleandir command line(s)
in /etc/daily.local).
Rotates the /var/account/acct file.
Prints a summary of network status.
Compresses and rotates messages in the mail filtering log
directories.
Sends e-mail if the /var/log directory becomes 85% full and again
when it becomes 100% full.
The output of this job is sent to the /var/log/daily.out file. You can
view this output as described in Chapter 18.
Command Line Reference A-15

Understanding automatic (cron) jobs
A-16 Command Line Reference
/etc/weekly
This job runs each Saturday at 3:30 a.m and performs these tasks:
Rotates the access_log and error_log files in /var/log/httpd. These
files exist only if the httpd server is running.
Runs weekly.local. (This allows you to remove miscellaneous “.o”
files from the /usr/src and /usr/obj directories (however, you must
first uncomment the find command line in /etc/weekly.local).
The output of this job is sent to the /var/log/weekly.out file. You can
view this output as described in Chapter 18.
/etc/monthly
This jobs runs at 5:30 a.m. on the first day of each month and rotates
the /var/log/wtmp file. The output of this job is sent to the
/var/log/monthly.out file. You can view this output as described in
Chapter 18.
Rollaudit cron jobs
There are two /usr/sbin/rollaudit jobs listed in /etc/crontab. The
first job checks the size of various audit and log files daily at 2:00 a.m.
The second job runs each hour and rotates files found to be growing
too quickly. When these jobs run, they check the
/etc/sidewinder/rollaudit.conf configuration file to see which files
should be rotated. The following files are checked by rollaudit:
/var/log/audit.* (the Sidewinder G2 generates reports when these
files are rolled.)
/var/log/auditd.log
/var/log/cron
/var/log/lpd-errs
/var/log/messages
/var/log/maillog (This file is rotated once a week. The output is
used for the mail traffic reports described in Chapter 18.)
/var/log/snmpd.log

Understanding automatic (cron) jobs
You can edit the /etc/sidewinder/rollaudit.conf file to specify how
large files are allowed to get before they are rotated and the
maximum amount of time that should elapse between rotations. See
the rollaudit man page for details on editing this file.
Caution: To avoid serious system problems, do not allow the /var/log partition to
become full. The /sbin/logcheck job will generate an e-mail message warning you if the
/var/log partition becomes 85% full and then again if it becomes 100% full.
SmartFilter cron job
The SmartFilter control list is updated weekly by the following job:
/usr/sbin/smartfilter_auto_download
The system administrator is notified via e-mail whenever the control
list is successfully downloaded. See Appendix E for details about
administering SmartFilter.
Note: This cron job is disabled by default.
Monitor data retrieval cron job
The following cron job retrieves disk utilization information once
every minute:
/usr/bin/get_monitor_data
The data gathered from this job is used to generate the performance
report. See Chapter 18 for information on generating audit reports.
Report generating cron jobs
You can use the Admin Console Reporting window to generate the
following reports:
Root_access, service_denied, and traffic reports.
A network_probe report.
Note: Daily reports are initially disabled in /etc/crontab. If you want to enable daily
reports, you must first enable the auditdbd server or you will not receive any data. See
“Activating the Sidewinder G2 license” on page 3-19.
Command Line Reference A-17

Understanding automatic (cron) jobs
A-18 Command Line Reference
Squid log rotation cron job
The Web proxy server is implemented using Squid, an open source
software program that provides proxy and caching capabilities.
Squid’s log files (access_log, cache_log, and store.log) are rolled over
daily using the following command:
/usr/sbin/cf www rotate
CRL and certificate retrieval cron job
The following cron job automatically retrieves certificates and CRLs
from Netscape Certificate Authorities (CAs):
/usr/sbin/cf cert updatedbs
For more information on certificates, see Chapter 13.
Anti-virus DAT file cron job
The following cron job automatically updates the anti-virus DAT file.
/usr/sbin/datupdate
Package download cron job
The following cron job automatically performs package downloads:
/usr/sbin/cf package download
Export utility cron job
The following cron job automatically removes old export data:
/usr/sbin/cf export ftp
Logcheck cron job
The following cron job automatically runs the logcheck utility every
five minutes:
/usr/sbin/logcheck

A
A PPENDIX B
Setting Up Network Time
Protocol
About this appendix This appendix provides a brief introduction to Network Time Protocol
(NTP) and describes how to set up NTP on the Sidewinder G2. This
appendix covers the following topics:
“Overview” on page B-1
“Configuring NTP on a Sidewinder G2” on page B-5
“References” on page B-8
Overview NTP provides a way to synchronize all clocks on a network, or to
synchronize the clocks on one network with those on another
network. You may find NTP useful in the following situations:
When your internal network includes a system that already
provides time for the rest of your network.
When, for time-critical services, it is important to synchronize your
network with a more accurate chronometer on an external
network.
Important: If exact synchronization is not important to your site, you may ignore NTP
entirely. NTP is not automatically enabled during Sidewinder G2 installation, and is active
only if you configure and enable it as described later in this appendix.
This release of the Sidewinder G2 is compatible with NTP versions 1,
2, and 3. Version 3 is the preferred version and is the default on the
Sidewinder G2.
B
Setting Up Network Time Protocol B-1

B
Overview
Figure B-1. NTP serverclient
relationship
B-2 Setting Up Network Time Protocol
NTP servers and clients
In NTP, a server is a system that sends a time-feed to another system.
(The server is also referred to as a host.) The receiving system—the
one whose time is being set by the server—is an NTP client.
Consider the simple configuration in Figure B-1 showing an NTP time
server with two NTP clients (A and B) in the same network. The NTP
server supplies the time to NTP clients A and B. Using their own NTP
software, each client system must also be set up to receive time from
the server.
NTP server
(time source)
Client A Client B
The Sidewinder G2 can be set up as an NTP server or a client. Secure
Computing Corporation recommends that the Sidewinder G2 be set
up as an NTP client, receiving time from an NTP server on your
internal network.
The Sidewinder G2 as an NTP client
Figure B-2 shows a common NTP setup. It is the recommended
configuration, with the Sidewinder G2 configured as a client receiving
time from a server labeled “Internal time source.” In this
configuration, a server in the internal network (shown with an analog
clock) is the designated time-setter for the rest of the network. The
three other systems in the internal network are also NTP clients.

Figure B-2. Sidewinder
G2 as an NTP client —
internal server provides
time to the Sidewinder
G2 and to other internal
workstations (no timefeed
to or from Internet)
internal time source
Internal network
time-feed
Sidewinder G2
Overview
By means of NTP, the server automatically maintains the correct time
on the Sidewinder G2 and also maintains the time on other
workstations in the network. The advantages of this setup are the
following:
The internal network does not rely on an external time server and
is therefore not exposed to any security breaches that might
conceivably result. For this reason, this is the configuration
recommended by Secure Computing.
Since the Sidewinder G2 is not supplying time for other systems
but is only receiving it, this setup has minimal effect on Sidewinder
G2 performance.
The Sidewinder G2 as an NTP server
Internet
You can also set up the Sidewinder G2 to be a time-setter for the rest
of the network. The Sidewinder G2 can feed the time to an internal
system which in turn supplies time to your other workstations. The
Sidewinder G2 could also be set up to supply time to the workstations
in your network directly. However, this setup might decrease the
Sidewinder G2’s performance, especially if the Sidewinder G2 has to
supply time directly to a number of systems.
As shown in Figure B-3, the Sidewinder G2 is receiving time from
NTP servers on an external network and passing the time on to the
internal network. This would be advantageous if your company
required constant and precise time updates to within microseconds of
world standard time.
Setting Up Network Time Protocol B-3

Overview
Figure B-3. The
Sidewinder G2 as an NTP
server—external time
servers supply time to
the Sidewinder G2, which
passes time on to the
internal system (multiple
servers provide backup)
B-4 Setting Up Network Time Protocol
Important: Unlike the previous two configurations, an external-to-internal NTP
configuration may introduce security concerns to the Sidewinder G2 and thus to your
network. Therefore, this configuration is only recommended for sites that need world
standard time.
Note: For the configuration shown in Figure B-3, the router must be able to handle NTP
traffic.
time from the
Sidewinder
time-feed
internal
network
Router
Servers on external network
supply time to the Sidewinder
To pass a clock setting to the internal network, the external side of the
Sidewinder G2 needs to be configured as a client to the external clocks.
The Sidewinder G2’s NTP client then takes the "tick" from the remote
clock, and sends it to the on-board system clock. On the internal side
of the Sidewinder G2, the NTP server is enabled with the clock type
set to "local." This forces the Sidewinder G2 to look to its internal
clock for the time information, and configured as an internal server,
pass the "tick" to the server on the internal burb interface.
NTP must also be configured on each of the external time servers. For
certified time servers, it is safe to assume that this has already been
done correctly.
Note: An external NTP configuration is recommended only for sites that require time
within microseconds of world standard time. This is achieved by configuring NTP on the
Sidewinder G2 to accept time signals from one or more certified time servers located
outside your company network. For a list of certified time servers, check the following Web
site:
http://www.eecis.udel.edu/~mills/ntp/servers.html
The list includes stratum1 and stratum2 servers. Be sure to select stratum2 servers only. It is
also best to choose a time server that is located within your time zone.
R

Figure B-4. NTP conflict:
Sidewinder G2 receiving
time from external and
internal servers
(DO NOT CONFIGURE
NTP IN THIS WAY!)
Configuring NTP
on a Sidewinder
G2
Configuring NTP on a Sidewinder G2
Figure B-4 shows a configuration THAT SHOULD NOT BE USED
and that is almost guaranteed to cause trouble. This happens when
NTP is configured to supply time to the Sidewinder G2 from two
servers—one external and one internal. Input from the external time
server cannot be reconciled with that from the internal server.
internal time source
also supplies time to
Sidewinder G2
time-feed
internal
network
Use the following procedures to configure the Sidewinder G2 for NTP.
You can enable NTP for the appropriate burbs using the Admin
Console. However, you must configure NTP via the command line.
For information on configuring NTP via the command line see the
cf_ntp man page.
Configuring the Sidewinder G2 as an NTP client
Follow the steps below to set up the Sidewinder G2 as an NTP client
to receive the time from another NTP server.
Using the Admin Console 1. Disable the fixclock server, as follows (you must disable fixclock before
you enable NTP):
a. In the Admin Console, select Services Configuration -> Servers, and
select fixclock from the Server List. The fixclock Control tab appears.
b. Select the Disable radio button.
c. Click the Save icon in the toolbar.
Router
R
time server on external
network supplies time to the
Sidewinder G2
Setting Up Network Time Protocol B-5

Configuring NTP on a Sidewinder G2
B-6 Setting Up Network Time Protocol
2. Enable the NTP server in the appropriate burbs, as follows:
a. Select Services Configuration -> Servers, and select NTP from the
Server List. The NTP Control tab appears.
b. Select the check box for the burbs in which you want NTP enabled.
c. Click the Save icon in the toolbar.
Using command line: 3. At the command line, do the following:
a. Connect to the Sidewinder G2 and enter the srole command.
b. Select the machine(s) from which the Sidewinder G2 will receive
time by entering the following command:
cf ntp add server burb=server_burb
ip=NTPserver_ip_addr
4. [Optional] Configure the appropriate NTP rules using the following
format:
cf ntp add restrict burb=burb_name ip=restricted_ip_
address_or_subnet mask=network_mask_for_ip_address
flags=comma_separated_lists_of_flags: notrust,
noquery, etc.
Note: Flags are used to restrict the NTP functions of a server, peer, or client. Refer to
man cf_ntp for details.
As an NTP client, synchronization to the server clock will occur at a
rate of seconds per hour. That is, a difference of several minutes
between the server clock and the client clock may take several days to
synchronize.
Configuring the Sidewinder G2 as an NTP server
Follow the steps below to set up the Sidewinder G2 as an NTP server
to send the time to other systems.
Note 1: This section assumes the same configuration as shown in Figure B-3. It also
assumes you have already set up the Sidewinder G2 as a client on the external burb to
receive the time-feed from an external time server.
Note 2: If you are setting up NTP to provide time to your network from another network,
and there is a router between that network and your network, make sure the router allows
NTP traffic.
Using the Admin Console: 1. Disable the fixclock server, as follows (you must disable fixclock before
you enable NTP):

Configuring NTP on a Sidewinder G2
a. In the Admin Console, select Services Configuration -> Servers, and
select fixclock from the Server List. The fixclock Control tab appears.
b. Select the Disable radio button.
c. Click the Save icon in the toolbar.
2. Enable the NTP server in the appropriate burbs, as follows:
a. Select Services Configuration -> Servers, and select NTP from the
Server List. The NTP Control tab appears.
b. Select the check box for the burbs in which you want NTP enabled.
c. Click the Save icon in the toolbar.
Using command line: 3. At the command line, connect to the Sidewinder G2 and enter the
srole command.
4. Create a local clock by entering the following command:
cf ntp add peer burb=burb_name ip=127.127.1.0
prefer=yes
Setting prefer=yes specifies that the Sidewinder G2’s time signals
take precedence over a set of correctly operating servers that are also
sending the time.
5. (Optional: Perform if configuring the Sidewinder G2 as an authoritative
NTP clock) Add a list of NTP peers that can query the Sidewinder G2 by
entering the following command:
cf ntp add peer burb=peer_burb ip=ip_addr
An NTP peer is a server that is a designated “colleague” to another server
(peers can set each other’s clocks). Peers are sometimes used in large,
internationally-known time sites.
6. (Optional: Perform if configuring the Sidewinder G2 as an authoritative
NTP clock): Set up the NTP rules by entering the following command:
cf ntp add restrict burb=burb_name ip=restricted_ip_
address_or_subnet mask=network_mask_for_ip_address
flags=comma_separated_lists_of_flags: notrust,
noquery, etc.
Note: Flags are used to restrict the NTP functions of a server, peer, or client. Refer to
man cf_ntp for details.
Setting Up Network Time Protocol B-7

References
References NTP is a complicated protocol with many options. There are
numerous places where more information can be obtained. These
include RFCs, Web sites, and local manual (man) pages. For more
information about NTP, see the following sources:
B-8 Setting Up Network Time Protocol
Internet Request For Comments (RFC)
The following RFCs provide information on NTP:
RFC 1059Network Time Protocol (Version 1)
RFC 1119Network Time Protocol (Version 2)
RFC 1305Network Time Protocol (Version 3)
Web Sites
Point your browser to the following Web site:
http://www.ntp.org/
On-line manual (man) pages
Type the following commands:
man cf_ntp
man xntpd
man xntpdc

A
A PPENDIX C
Configuring Dynamic
Routing with OSPF
About this appendix This appendix describes how to set up routing capability on the
Sidewinder G2 using the Open Shortest Path First (OSPF) protocol.
Tip: You should read this appendix only if you have identified that your routing topology
is too complicated to use only static routing or the Routing Information Protocol (RIP).
OSPF is a complex IP routing protocol and deploying OSPF should involve discussions
between routing subject matter experts and security subject matter experts.
This appendix addresses the following topics:
“Overview” on page C-1
“OSPF processing on a Sidewinder G2” on page C-4
“Setting up OSPF routing on the Sidewinder G2” on page C-6
“Configuring "passive" OSPF” on page C-13
“Other implementation details” on page C-13
Overview OSPF is a routing protocol in that it provides information used to
figure out routes in a portion of a network. Unfortunately, it is not a
routing protocol in that it does not actually pass routes, but
information about links each router has. Based upon this link
information, each router runs the same algorithm and comes up with
the same "picture" of the network.
Note: OSPF runs as its own protocol (protocol 89) on top of IP.
OSPF uses a fair amount of multicasting. When a host detects a
change to a routing table or a change in the network topology, it
immediately multicasts the information to all other hosts in the
network. Unlike the RIP in which the entire routing table is sent, the
host using OSPF sends only the part that has changed. With RIP, the
routing table is sent to neighboring hosts every 30 seconds. OSPF
multicasts updated information only when a change occurs.
C
Configuring Dynamic Routing with OSPF C-1

C
Overview
Figure C-1. Three OSPF
protocol phases
C-2 Configuring Dynamic Routing with OSPF
A closer look at OSPF
Rather than counting the number of hops, OSPF bases its path
descriptions on link states that factor in additional network
information. Also, OSPF lets you assign cost metrics to a given host
router so that some paths are given preference.
There are three phases to the OSPF protocol:
1. Routers "discover" neighboring OSPF routers by exchanging Hello
messages. The Hello messages also determine which routers will act as
the Designated Router (DR) and Backup Designated Router (BDR). These
messages are periodically exchanged to ensure connectivity between
neighbors still exists.
2. Routers exchange their "link state databases." Link state means the
information about a system's interfaces (IP address, network mask, cost
for using that interface, and whether it is up or down).
3. Finally, the routers exchange additional information via a number of
different type of Link State Advertisements (LSAs). These "fill out" the
information needed to calculate routes. Some reasons for generating
LSAs are interfaces going up or down, distant routes changing, static
routes being added or deleted, etc.
OSPF router
R
1. Exchange hello messages to discover neighbor OSPF routers
2. Exchange Link state databases
3. Exchange Link state advertisements
OSPF router
OSPF router
At this point, all routers should have a full database. Each database
contains consistent (not identical) information about the network.
Based upon this information, routes are calculated via the "Dijkstra"
algorithm. This algorithm generates the set of shortest routes needed
to traverse the network. These routes are then enabled for use by IP.
R
R

Overview
All OSPF routers on a network do not exchange OSPF data—this
limits network overhead. Instead, they communicate with the DR (and
BDR), which are then responsible for updating all other routers on the
network. Election of the DR is based upon the priority of that router.
OSPF multicasts using the AllSPFRouters (224.0.0.5) and AllDRouters
(224.0.0.6) addresses. The Designated Router (DR) and Backup
Designated Router (BDR) receive packets on the second address.
Important: Since the Sidewinder G2 performs many other functions, Secure Computing
Corporation recommend that customers should not configure the Sidewinder G2 to
become DR (or BDR) unless forced to by network topology.
OSPF routing
OSPF is considered an Interior Gateway Protocol (IGP). An IGP limits
the exchange of routes to a "domain of control," known as an
Autonomous System (AS). An AS is a large network (an ISP for
example) created under a central authority running a consistent
routing policy, policies that include different routing protocols. RIP
(both V1 and V2), IS-IS, EIGRP (a proprietary Cisco protocol), are all
IGPs.
Exterior Gateway Protocols, such as EGP and Boundary Gateway
Protocols (BGP), communicate routing information between
Autonomous Systems.
Routers on the "edge" of the AS generate "special" LSAs (AS-External-
LSAs) for the rest of the AS. There's also a mechanism (forwarding
address) so that an OSPF router can "point over there" for a route.
This feature allows a customer to introduce static routes for their
network from a central router.
Autonomous Systems can be large. It is not necessary for the whole
AS to need to know "everything" about routes. Each AS may be
broken down into areas. All routing information must be identical
within an area. Routing between areas goes through a "backbone." All
routers on a backbone have to be able to communicate with each
other. Since they belong to the same area (area 0 of a particular AS),
they also all have to agree. Area Border Routers (ABRs) will have one
interface defined to run in the backbone area. Other interfaces can
then be defined to run in a different area.
Configuring Dynamic Routing with OSPF C-3

OSPF processing on a Sidewinder G2
Figure C-2. OSPF areas
OSPF processing
on a Sidewinder
G2
C-4 Configuring Dynamic Routing with OSPF
Take a look at a sample configuration. Figure C-2 shows a large
internal network and backbone terminating at a router.
area 0 (backbone)
Complicated
Network
Autonomous system (AS)
R
ABR
area n (8.8.8.8)
Complicated
Network
Stub areas are areas where there is a single exit point. An OSPF router
sends "summary" LSAs into the stub that point back to that router as
the default router for the stub area.
For more information on OSPF and Internet routing, check with your
router vendor. The following books may also be useful:
Routing in the Internet, 2nd edition by Christian Huitema, Prentice
Hall (2000)
Cisco Router OSPF: Design and Implementation Guide, by William
R. Parkhurst (Cisco Technical Expert), McGraw Hill (1998)
OSPF processing is done via a Sidewinder G2 server process called
gated. To implement OSPF processing on the Sidewinder G2, a
gated server process must be configured, enabled, and started in the
burb expecting to handle OSPF broadcasts. Only one gated may be
started per burb, but that gated will handle all network interfaces
within that burb.
The Sidewinder G2 currently runs version 3.6 of gated. This is the
most recent freely available version of gated available from the OSPF
Consortium and it's successor, NextHop.
This release of OSPF on the Sidewinder G2 runs gated as an "intraarea"
router. That means all interfaces that are configured to run OSPF
exist in the same OSPF area.
Note: Support for the Sidewinder G2 running as an ABR will come in a future release.
R
ASBR
EGP
BGP

Figure C-3. Sidewinder
G2 within OSPF area 0
backbone
Figure C-4. Sidewinder
G2 within OSPF area "n"
OSPF processing on a Sidewinder G2
Sidewinder G2 in an OSPF network topology
Essentially there are two choices for locating the Sidewinder G2
within the OSPF network topology.
the Sidewinder G2 within OSPF area 0 backbone
the Sidewinder G2 within OSPF area n
The first choice, shown in Figure C-3, extends the AS backbone
through the Sidewinder G2. Any area boundary external is to the
Sidewinder G2.
area 0 (backbone)
Complicated
Network
Autonomous system (AS)
R
ABR
area n (8.8.8.8)
Network
R
ASBR
The second choice, shown in Figure C-4, runs a non-backbone area
through the Sidewinder G2, placing the backbone completely internal.
This second option is preferable for security policy reasons, but may
not be practical without re-engineering the OSPF network.
area 0 (backbone)
Complicated
Network
b
u
r
b
b
u
r
b
Sidewinder G2
Autonomous system (AS)
R
ABR
b
u
r
b
area n (8.8.8.8)
b
u
r
b
Sidewinder G2
ASBR
Configuring Dynamic Routing with OSPF C-5
R

Setting up OSPF routing on the Sidewinder G2
Setting up OSPF
routing on the
Sidewinder G2
C-6 Configuring Dynamic Routing with OSPF
In order for OSPF to work, it is important that all routers work off of a
consistent link state database. The Sidewinder G2 implementation
allows a customer to control which routers it will communicate with
by using the rule list. The active rule list can be configured to only
allow known routers to talk to gated.
Interoperability with other OSPF routers
The 3.6 distribution of gated supports OSPF version 1 as described in
RFC 1583. Many routers will detect this automatically; other routers
have an RFC 1583 compatibility mode setting. This setting should be
enabled for all other routers (if available) in the same area as the
Sidewinder G2.
Other routing protocols
There are many versions of gated that support a number of routing
protocols. The Sidewinder G2 gated currently supports OSPF. A
future release will include RIP (both v1 and v2) support. At this time,
we are NOT expecting to support IS-IS (another interior routing
protocol similar to OSPF), or any exterior routing protocols (EGP or
BGP).
Follow the steps below to set up OSPF on the Sidewinder G2.
1. Sketch a diagram showing your planned Sidewinder G2 configuration
(similar to the diagram in Figure C-4). Include the following items on
your diagram:
configuration of the routers to which the Sidewinder G2 connects
OSPF areas in the network(s)
the Sidewinder G2 interfaces (burbs)
2. On the Sidewinder G2, define one or more netgroups for the routers to
which Sidewinder G2 connects. See Chapter 5 for details on creating
netgroups.
3. On the Sidewinder G2, configure one or more rules for the OSPF traffic.
See Chapter 7 for details on setting up rules.

Figure C-5. OSPF
Properties tab
About the OSPF Properties
tab
Setting up OSPF routing on the Sidewinder G2
4. On the Sidewinder G2, configure the following OSPF parameters:
a. Properties
b. OSPF properties
c. OSPF Areas
d. Advanced
Tip: Follow the procedures in the next sections to use the Admin Console to set your
OSPF options.
5. Enable the OSPF (gated) server by doing the following:
a. Using the Admin Console, select Services Configuration -> Servers
and then select gated-unbound.
b. Click Enable.
Configuring OSPF properties
To configure OSPF properties, start the Admin Console and select
Services Configuration -> Routing -> Dynamic. Click the OSPF Properties tab,
the following window appears:
The OSPF Properties tab specifies the parameters that affect overall
OSPF function on the Sidewinder G2. Follow the steps below.
1. In the Default Preference field, specify the default preference for
selection of routes learned by OSPF versus other gated routing
protocols. The default is 150. Do not change this field unless directed by
Secure Computing.
2. In the Default Cost field, specify the metric for external routes that OSPF
is going to advertise to the Autonomous System (AS). The default is 1.
Do not change this field unless directed to by Secure Computing.
Configuring Dynamic Routing with OSPF C-7

Setting up OSPF routing on the Sidewinder G2
C-8 Configuring Dynamic Routing with OSPF
3. In the Default Tag field, specify the tag OSPF routes for other protocoldependent
filtering. The default tag is 0. Do not change this field unless
directed to by Secure Computing.
4. In the Default Type drop-down list, select whether OSPF will advertise
external routes into the AS as either Type 1 or Type 2 Autonomous
System External routes (ASEs) depending on the value of this field. The
default is 1. Do not change this field unless directed to by Secure
Computing.
5. In the Default Inherit Metric field, select one of the following:
Yes: If this field is set to Yes, OSPF will use the metric from the
external route when exporting ASEs rather than using the default
cost.
No: This is the default value. Do not change this field unless
directed to by Secure Computing.
6. In the Export Limit field, specify the throttle rate at which an ASBR
advertises ASEs into the AS. The default is 100 ASEs per interval. Do not
change this field unless directed to by Secure Computing.
7. In the Export Interval field, specify how often an ASBR will advertise ASEs
into the AS. The value specifies seconds, with a default of 1. Do not
change this field unless directed to by Secure Computing.
8. The syslog field provides you with the ability to allow gated to log
occasional packets to syslog (and thereby Sidewinder G2 audits) in
addition to the depth of information obtainable from trace options. The
format is first pktcnt every pktcnt2, which means OSPF will log the first
pktcnt packets for EACH type of OSPF packet. After that, it will then log
one message per pktcnt2 packets. The default is no entry, which means
no logging. Do not change this field unless directed to by Secure
Computing.
9. In the OSPF Enabled field specify whether OSPF is enabled (yes or no).
10. To save your changes, click the Save icon in the toolbar.
Configuring OSPF Areas
To configure OSPF areas, start the Admin Console and select Services
Configuration -> Routing -> Dynamic. Click the OSPF Areas tab, the
following window appears:

Figure C-6. OSPF Area
tab
Setting up OSPF routing on the Sidewinder G2
About the OSPF Area tab The OSPF Area tab configure communication with other routers.
Follow the steps below.
Configuring the OSPF Area:
Interfaces window
1. In the Area field, specify the area number as follows:
Backbone—Select this option to define area 0.
Number—Select this option to define a non-zero area. The area is
defined in the Area Number field. Values can be simple numbers
(like 3), or "dotted decimal" (like IP addresses). Areas are 32 bit
numbers.
2. In the Stub field, specify the areas where there are no external routes as
follows:
Yes—Select this option If the Sidewinder G2 is an intra-area router
inside a stub area. In the Default Cost area, specify the cost of the
default route. If this is the Area Border Router (ABR) for the stub
area, this indicates the cost of the default route that will be flooded
into the stub area.
No—Select this option if the Sidewinder G2 is not an intra-area
router inside a stub area.
3. To modify the Interfaces table, see “Configuring the OSPF Area:
Interfaces window” on page C-9. The Interfaces table defines the
configuration for each OSPF interface on the Sidewinder G2.
Note: Do not change the Networks field unless directed to by Secure Computing.
When you click New or Modify under the Interfaces table, the
following window appears:
Configuring Dynamic Routing with OSPF C-9

Setting up OSPF routing on the Sidewinder G2
Figure C-7. OSPF Area
window: Interface
Information
C-10 Configuring Dynamic Routing with OSPF
1. In the Interfaces field, specify the Sidewinder G2 IP address for each
interface that should use OSPF.
2. In the Cost field, specify the metric that OSPF should advertise when
calculating routes using this interface. (OSPF leaves this undefined, but
it is an integer.)
3. In the Enabled field, specify whether this interface should currently run
OSPF.
4. In the Retransmit Interval field, specify the retransmit interval (in
seconds) between link state advertisement retransmits (the range is 0-
65535).
5. In the Transit Delay field, specify a reasonable estimate on how long it
takes an OSPF packet to be transmitted on this interface (range is 0-
65535). Except for very long delay paths, this parameter will normally be
set to 1.
6. In the Priority field, specify the priority for becoming a Designated
Router (DR) on this interface. Values are from 0–255, with the higher
priorities being more likely to be elected as DR (or Backup DR). When set
to 0 (the default setting), gated will not become a DR under any
circumstance.
Note: Secure Computing recommends that you keep this value 0 on the Sidewinder
G2 whenever possible; DR functionality can cause significant utilization impact.
7. In the Hello Interval field, specify the time in seconds between Hello
packets sent to maintain connectivity with neighboring routers. The
default is 10 seconds. Values range from 0–255.
8. In the Router Dead Interval field, specify the time in seconds OSPF will
wait without receiving Hello packets from a neighbor before assuming
that neighbor is down. The default is 40 seconds. Values from 0–65535.

Authentication Information
window
Figure C-8. Authentica-
ting Information window
Setting up OSPF routing on the Sidewinder G2
9. [Optional] In the Passive field, specify whether OSPF will NOT send
packets on this interface, but will send information about this interface
to other interfaces. Routes can then be established through the
Sidewinder G2 to systems on the passive interface. The default setting is
No.
10. In the Auth field, specify which type of primary authentication is used
on OSPF packets for this interface
none—No authentication (default).
simple—Specifies that a clear text value (as specified in the Auth
Keys list) must be present on all packets.
md5:—Specifies that a clear text value and key (as specified in the
Auth Keys list) must be present on all packets.
Note: If you select simple or md5, click New (or Modify) to specify the
authentication key data. See “Authentication Information window” below.
11. To save your changes, click the Save icon in the toolbar.
The Authentication Information window specifies settings for simple
or md5 authentication settings.
1. In the Authentication Key field, specify the clear text value that must be
present on all packets. This entry may be one to eight decimal digits
separated by periods, a one to eight hexadecimal string preceded by 0x,
or a one to eight character string in double quotes. More than one
Authentication key can be defined. The only requirement is that the
keys do not share the same Start Generate time.
2. (md5 authentication only) In the Id Number field, specify a value from
1–255.
3. In the Start/Stop Generate fields, define the time when gated will use
the key to sign outgoing packets.
4. In the Start/Stop Accept fields, define the time gated will use the key to
validate incoming packets.
Configuring Dynamic Routing with OSPF C-11

Setting up OSPF routing on the Sidewinder G2
Configuring the OSPF
Areas: Networks window
Figure C-9. OSPF
Advanced window
About the Advanced
window
C-12 Configuring Dynamic Routing with OSPF
Note: The Generate/Accept fields are optional fields that specify when an md5 key is
valid. If you specify any time value, you must also specify all other time values. Specify
overlapping valid times to ensure service is not lost. Also, multiple keys cannot share
the same Start Generate or Start Accept times.
The Networks area on the OSPF Areas window should not be
configured unless directed to do so by Secure Computing Technical
Support.
Configuring Advanced options
To configure advanced options, start the Admin Console and select
Services Configuration -> Routing -> Dynamic. Click the Advanced tab, the
following window appears:
The Advanced window allows you to directly edit and test the gated
configuration file.
Edit "gated.conf" File: Clicking this button allows you to set up and
specify features that are not available through the Admin Console.
Validate "gated.conf" File: Clicking this button launches a test utility
that checks the configuration file’s entries and ensures a valid
configuration.
The resulting test determines whether the file has valid parameter
settings that do not conflict with each other, however, it does not
evaluate the "logic" of the specified configuration.

Configuring
"passive" OSPF
Other
implementation
details
Configuring "passive" OSPF
You can configure and run OSPF through the Sidewinder G2
WITHOUT affecting the Sidewinder G2 routing tables. To do this, you
must edit the edit /etc/server.conf file as follows:
1. Using a text editor of your choice, find the entry:
2.
server(gated-unbound ...........)
Change the args[-N] to args[-n -N].
3. Save the file.
4. Stop and start the gated server from the Services Configuration ->
Servers menu.
Important: In order for the Sidewinder G2 to correctly pass data, static routes must
have been previously defined.
As with any routing protocol, OSPF passes routable addresses. This
defeats the purpose of NAT at the Sidewinder G2 running OSPF.
However, NAT can still be performed at the ASBR.
gated supports a method to "query" remote gated implementations
about their current state and information. This is done via the ospf
monitor command. For security, the ospf monitor command is not
supplied on the Sidewinder G2 and it does not accept queries from
remote gated instances.
Filtering of routes should not be performed within an area. This leads
to inconsistent link state databases. In turn, the Dijkstra algorithm will
probably end up calculating routing loops. The Sidewinder G2 will
support route filtering when it supports running as an ABR.
Configuring Dynamic Routing with OSPF C-13

Other implementation details
C-14 Configuring Dynamic Routing with OSPF

A
A PPENDIX D
Configuring Dynamic
Routing with RIP
About this appendix This appendix describes how to set up dynamic routing capability on
the Sidewinder G2 using its routing information protocol (RIP)
process. This appendix addresses the following topics:
RIP with standard
IP routers
“RIP with standard IP routers” on page D-1
“RIP processing on the Sidewinder G2” on page D-3
“RIP with the Sidewinder G2 using transparent IP addressing” on
page D-5
“RIP with the Sidewinder G2 NOT using transparent IP addressing”
on page D-8
“Configuring RIP on the Sidewinder G2” on page D-12
“Enabling/disabling the routed server” on page D-15
“Trace and log information” on page D-16
Security Alert: RIP version 1 is an inherently insecure protocol. Without careful
configuration of this service, this system may be susceptible to route confusion attacks.
The following describes how RIP processing aids in routing IP packets
through a network that has a redundant routing architecture. Figure
D-1 illustrates this redundant architecture.
D
Configuring Dynamic Routing with RIP D-1

D
RIP with standard IP routers
Figure D-1. Dynamic
routing a with standard
IP route
D-2 Configuring Dynamic Routing with RIP
Bizco
Network
Telnet server
R
router_a
router_b
CorpCity
Network
Note: This figure assumes that all routers (a, b, c, and d) are exchanging RIP packets
between each other every 30 seconds.
In this example, it is unnecessary for the Telnet server and the client
to be accepting RIP packets. The server can statically configure its
gateway to be Router_a. The client can statically configure its gateway
to Router_b.
The Telnet client has two different possible paths of reaching the
server: (1) via Router_b-to-Router_a, and (2) via Router_d-to-Router_cto-Router_a.
Examining the routing table on Router_b, you would find
that there are two possible routes to the Bizco network, one with a
hop count equal to two (through Router_a), the other with a hop
count to three (through Router_d).
When the Telnet client needs to connect to the Telnet server, it sends
a TCP connection request to Router_b because its internal default
route points to Router_b. Router_b receives the connection frame and
because the route to the Bizco network is shorter via Router_a (two
hops verses three hops), it forwards the connection frame on to
Router_a. Router_a forwards the frame into the Bizco network and it
eventually gets received by the Telnet server. The Telnet server builds
and sends a reply frame back, this frame typically follows the same
route back to the client. The two systems have established a
connection.
R
R
router_c
R
Telnet
client
router_d

RIP processing on
the Sidewinder G2
RIP processing on the Sidewinder G2
The dynamic routing capability of RIP can be seen when the link
between Router_a and Router_b is lost. As soon as Router_b notices
that it is no longer receiving RIP updates from Router_a, it updates its
local routing table hop count for that route to 16 (route unreachable)
and broadcasts this to others on its local network (this is to notify
Router_d).
Next, the Telnet client sends another IP frame to Router_a unaware
that the route between Router_a-to-Router_b has been lost. Router_a
looks at its local routing table and discovers there are two routes, one
unreachable, the other through Router_d. Because Router_d is on the
same network as the client, Router_b sends an ‘ICMP Redirect’ back at
the client stating that it can reach the Telnet server network through
Router_d. If the client’s TCP/IP stack is operating correctly, it updates
its local routing table to point that host at Router_d. The client TCP/IP
stack then re-sends its last frame to Router_d. Router_d receives the
frame and forwards it on to Router_c, which forwards it on to
Router_a, etc.
Important: Note that the TCP session continues on through Router_d as if nothing had
happened, and when the link between Router_a and Router_b is re-established, the Telnet
client again should receive an ‘ICMP Redirect’ from Router_d pointing it back at Router_a.
The session should continue as if nothing important happened.
RIP processing is done via a Sidewinder G2 server process called
routed. To implement RIP processing on the Sidewinder G2, a
routed server process must be configured, enabled, and started in the
burb expecting to handle RIP broadcasts. Only one routed may be
started per burb, but it will handle all network interfaces within that
burb.
The Sidewinder G2 can be configured to support RIP processing via
the following Admin Console options:
Receive routing information from other routers
Setting this option to Yes enables routed to receive UDP RIP
updates from any interface within that burb and update the local
routing table.
Setting this option to No disables the updating of local routing
tables with RIPs received from the local network interfaces.
Configuring Dynamic Routing with RIP D-3

RIP processing on the Sidewinder G2
Figure D-2. Routed on
the Sidewinder G2
D-4 Configuring Dynamic Routing with RIP
Advertise routing information
Setting this option to Yes enables routed to broadcast UDP RIP
updates, advertising local routing information available within this
burb.
Setting this option to No disables broadcasting of any UDP RIP
updates.
Advertise as default gateway
— Setting this option to Yes enables routed to send the default
route.
— Setting this option to No disables sending the default route.
Advertise burb/routes from burbs
This option specifies which burbs (other than the current burb)
should have their routing information included in RIP updates sent
by THIS burb. If no burbs are listed under this option, routed will
only send routing information about the current burb.
Figure D-2 illustrates the implementation of RIP processing within the
Sidewinder G2. This example, shows a trusted burb with two network
interfaces. When the routed server is started in this trusted burb, both
these interfaces will automatically be supporting RIP.
TCP
/IP
local
routing
table
local
routing
table
Internet burb routed
routed trusted burb
Admin Console options set:
Receive routing information
from other routers = yes
Advertise routing information
= no
No other burbs specified
TCP
/IP
Admin Console options set:
Receive routing information
from other routers = no
Advertise routing information
= yes
External burb (1) specified

RIP with the
Sidewinder G2
using transparent
IP addressing
Figure D-3. RIP with the
Sidewinder G2
RIP with the Sidewinder G2 using transparent IP addressing
Routed on the Sidewinder G2 operates by listening for UDP
broadcasts on port 520. It also sets a timer to send a RIP packet
advertising its routing information every 30 seconds. When a RIP
broadcast is received, the routed server updates the local routing table
with any new routes. When the 30 second timer expires, the routed
server reads and updates its local routing table, and then broadcasts
its local routing information
Important: Through Type Enforcement, no routed is allowed to update the local
route table in a different burb.
The following describes how RIP processing occurs through the
Sidewinder G2. Figure D-3 illustrates an architecture where the
Sidewinder G2 has been positioned to control IP traffic between the
two company networks. If the Sidewinder G2s do NOT provide RIP
support, the automatic rerouting of traffic through the use of dynamic
routing is lost.
Bizco
Network
Telnet server
R
router_a
Internet burb trusted burb
SidewinderG2_b
R
router_b
Internet burb trusted burb
R
SidewinderG2_c
router_c
CorpCity
Network
router_d
For this example, Router_a will broadcast UDP RIP packets to
SidewinderG2_b but they will be dropped. Because the Sidewinder
G2 now supports RIP, the Sidewinder G2 can be configured to act as a
router and actively participate in the dynamic RIP processing. In order
to pass data traffic through the Sidewinder G2, however, some proxy
or server must be configured and enabled.
Configuring Dynamic Routing with RIP D-5
R
Telnet
client

RIP with the Sidewinder G2 using transparent IP addressing
D-6 Configuring Dynamic Routing with RIP
The assumption for this discussion is that the administrator has
configured the Sidewinder G2 Telnet proxy. The administrator must
also enable the rule allowing trusted burb-to-Internet burb traffic from
the Telnet client to the Telnet Server. Also, to pass the RIP information
through the Sidewinder G2s, both systems must configure and enable
the routed server.
For discussion purposes, the administrator must use the Admin
Console to configure routed on the Internet burb for the following
options:
Advertise routing information: yes
Advertise as default gateway: no
Receive routing information from other routers: yes
Routes from burbs: none
Also, routed on the trusted burb must be configured as follows:
Advertise routing information: yes
Advertise as default gateway: no
Receive routing information from other routers: no
Routes from burbs: Internet (2)
Given the above configuration, both Sidewinder G2s will do the
following:
broadcast the external routing table information to Router_a (so
Router_a knows when the link is up or down)
receive routing information from Router_a (all Bizco’s routing
information) and update the external routing table
broadcast both the internal and external routing information into
CorpCity’s network (which provides CorpCity’s) networks with
routing information to Bizco’s network)
NOT listen to any RIP broadcasts from the CorpCity network.
Important: The last bullet here is VERY IMPORTANT. This will be discussed in more detail
later in this document.

If connection is lost
between Router_a and
SidewinderG2_b
RIP with the Sidewinder G2 using transparent IP addressing
As in the above discussion, when the Telnet client needs to connect to
the Telnet server, it sends a TCP connection request to Router_b
because its internal default route points to Router_b. Router_b
receives the connection frame and because the route to the Bizco
network is shorter via Router_a (3 hops verses 4 hops), it forwards the
connection frame on to Router_a, which forwards the frame to the
Sidewinder G2. The Sidewinder G2 IP services receive the frame, and
checks its routing table to decide if it knows where this connection
request should be sent.
Because the external routing table has a route to Bizco’s network, the
IP services sends the request up to the Telnet proxy. If there was no
route to Bizco’s network, and a default route had not been specified,
the Sidewinder G2 IP services would have discarded the packet. The
Telnet proxy receives and validates the connection request, then
proceeds to issue a new, independent TCP connection request to the
Telnet server (on the external network). This new request, which has
an originating address of the external Sidewinder G2, gets sent to
Router_a and is forwarded on into the Bizco network and so on and
so forth. The Bizco Telnet server replies back to the Sidewinder G2,
thinking that the Sidewinder G2 is the originator of the session. The
Telnet proxy then replies back to the Telnet client, and the session is
now in place between the server and the client.
If the connection between Router_a and SidewinderG2_b is lost, the
following occurs:
1. SidewinderG2_b notices that it is no-longer receiving RIP updates from
Router_a and updates its local routing table hop count for that route to
16 (route unreachable), and broadcasts this out on the internal network
(this is to notify Router_b).
2. The Telnet client sends another IP frame to Router_a unaware that the
route between Router_a-to-SidewinderG2_b has been lost. Router_a
looks at its local routing table and discovers there are two routes, one
unreachable, the other through Router_d.
3. Because Router_d is on the same network as the client, Router_b sends
an ‘ICMP Redirect’ back at the client stating that it can reach the Telnet
server network through Router_d.
4. The client updates its local routing table to point that host at Router_d,
then re-sends its last frame to Router_d.
5. Router_d receives the frame and forwards it on to Router_c, which
forwards it on to SidewinderG2_c.
Configuring Dynamic Routing with RIP D-7

RIP with the Sidewinder G2 NOT using transparent IP addressing
RIP with the
Sidewinder G2
NOT using
transparent IP
addressing
D-8 Configuring Dynamic Routing with RIP
6. SidewinderG2_c, receives the IP frame for the Telnet server, checks the
route, has a route, and sends it up to the internal TCP servers. The
Sidewinder G2 TCP services checks the frame and discovers this is not a
TCP connection request and that it there is not currently a session with
the client. Because of this, TCP services builds a ‘TCP reset’ frame and
sends it back to the client.
Note: This causes the current Telnet session to be lost. However, when the Telnet client
opens another session to the server, that connection request will get sent to
SidewinderG2_c, which will go through all the above steps and establish a NEW session
with the Telnet server.
So what happened to the sessions between SidewinderG2_b and the
client, and SidewinderG2_b and the server? These sessions will timeout
according to what has been configured for the Telnet proxy
inactivity timer. Currently this defaults to 2700 seconds, or 45 minutes.
Unless the Telnet server also has a connection time-out, the session
will remain between the two systems until the time-out occurs, at
which time the proxy closes both sessions.
What will happen when the route between Router_a and
SidewinderG2_b becomes available again? The Telnet client sends the
frame to Router_d which will send an ‘ICMP Redirect’ back to the
client telling it to communicate through Router_b. The client will
resend the frame to Router_b, which forwards it to the Sidewinder G2.
Again the Sidewinder G2 has received a frame for which it is not in
session, and it will send a ‘TCP reset’ back to the client, causing the
client to again close the session. As far as the client is concerned the
Telnet server has unexpectedly closed the session. And again, if the
client opens a new session all will be fine. But remember the sessions
are timing out between SidewinderG2_c and the Telnet server.
Important: The administrator should change this Telnet idle session timer to
something more reasonable such as 10 minutes.
The assumption for this discussion is that the Telnet server must be
able to identify the Telnet clients IP address. The above configuration
would not allow this, the Telnet server will see all sessions from
CorpCity network as originating from the Sidewinder G2. In Figure D-
4 as with Figure D-3, in order to pass any traffic through the
Sidewinder G2, some proxy or server must be configured and
enabled.

Figure D-4. RIP with the
Sidewinder G2
"spoofing" the client’s
address
Bizco
Network
Telnet server
RIP with the Sidewinder G2 NOT using transparent IP addressing
R
router_a
Internet burb trusted burb
SidewinderG2_b
R
router_b
Internet burb trusted burb
R
SidewinderG2_c
router_c
To accomplish the ‘spoofing’, you must configure the Sidewinder G2s
generic TCP proxy to listen on port 23, and enable it to spoof the
original workstations IP address (refer to the “use_client_address”
feature in the /etc/sidewinder/conf/tcpgsp.conf file). The administrator
must also enable the rule list allowing internal to external traffic from
the Telnet client to the Telnet Server for the generic TCP proxy. Also,
to pass the RIP information through the Sidewinder G2s, both systems
must configure and enable the routed server.
Again for discussion purposes, the administrator must use the Admin
Console to configure routed on the Internet burb for the following
options:
Advertise routing information: yes
Advertise as default gateway: no
Receive routing information from other routers: yes
Routes from burbs: none
Also, routed on the trusted burb must be configured as follows:
Advertise routing information: yes
Advertise as default gateway: no
Receive routing information from other routers: no
Routes from burbs: Internet (2)
CorpCity
Network
router_d
Configuring Dynamic Routing with RIP D-9
R
Telnet
client

RIP with the Sidewinder G2 NOT using transparent IP addressing
D-10 Configuring Dynamic Routing with RIP
When the Telnet client needs to connect to the Telnet server, it sends
a TCP connection request to Router_b which forwards the frame on to
SidewinderG2_b. The SidewinderG2_b IP services receives the frame
and passes it up to the generic_TCP proxy, which validates the
connection request and issues a new, independent TCP connection
request to the Telnet server (on the external network).
This new request, however, contains the originating IP address of the
real client, not the external Sidewinder G2 IP address. The request
gets sent to Router_a and is forwarded to the Telnet server in the
Bizco network. Next, the Bizco Telnet server builds and sends a reply
to Router_a, expecting it to be delivered on to the client. Router_a
receives the reply and looks at its routing table to find a route to
CorpCity’s client network. Router_a will not find one, and the
packet will be dropped.
Because the Sidewinder G2 is NOT advertising its internal routes
Router_a does NOT know how to get to CorpCity’s networks. What
the administrator should do is set “Routes from Burb to Internal (0)”
on the external side. This will cause the routed server in the external
burb to also advertise all the routes it finds on the internal burb. What
happens now is Router_a gets additional information about internal
routes available on the Sidewinder G2.
Does this solve the problem? The answer is NO. Since the internal
routed server is NOT updating the internal route table (“Receive
routing information from other routers” was set to NO), no routes
about CorpCity’s network will be available. The Sidewinder G2
administrator must set as “Receive routing information from other
routers to YES” on the internal routed server. Now the Sidewinder G2
will advertise CorpCity’s routes to router_a, and when Router_a
receives the packet for CorpCity it will understand how to route it.
Note: Beware of enabling “Receive routing information from other routers = Yes” in more
than one burb!
Enabling the setup we just described, both SidewinderG2_b and
SidewinderG2_c will begin updating their internal routing tables with
RIP information received from the internal routers. Keep in mind that
SidewinderG2_c is advertising routing information about Bizco’s
network internally, and the internal routers (Router_b, Router_c, and
Router_d) will now contain routing information about how to reach
Bizco’s networks. When the internal routed on SidewinderG2_b
receives the route information, it will contain routes to Bizco’s
network.

RIP with the Sidewinder G2 NOT using transparent IP addressing
What would happen if SidewinderG2_b updated its internal route
table with a route to Bizco (the external network) via Router_a?
Incoming packets which should be destined for the external network
would be forwarded back into the internal network to Router_a! Both
Sidewinder G2s would do this and the frames would never pass
through the Sidewinder G2.
The Sidewinder G2s routed server handles this by NOT adding a
route into the local routing table if the route to be added exists in one
of the other route tables. These route updates will be silently
discarded.
Note: Beware, however, that whichever routed updates the table with the route first,
wins!
For example, when SidewinderG2_b is started and the link to
Router_a is down, SidewinderG2_b has not received routing
information about Bizco’s network. If SidewinderG2_c broadcasts a
RIP out that Bizco is available through it, SidewinderG2_a will
eventually receive this (via the routers) at the internal routed server
which will update its local table with the route to Bizco’s network
through Router_b.
What about the instance such as above where we need it? The only
way to avoid this problem is to configure a filter for which routes it
will advertises to SidewinderG2_b. More information on how and why
to do this will be given later.
One last note about the above example. If Router_b were removed
from this network and the Sidewinder G2 directly connected to the
internal network, SidewinderG2_b would be tied directly to the Telnet
clients network. If the Burbs option is set on the external routed
server, it would advertise the necessary route to Router_a on how to
reach the client’s network. In this instance, there would be no reason
to set the “Receive routing information from other routers” to YES on
the internal routed server. Also, in this scenario, if the Telnet client
has its default route pointing to the Sidewinder G2 and the link
between Router_a and SidewinderG2_b fails, the internal routed will
not know that another route is available (it is not updating its local
table with RIPS from Router_d). Subsequently because the Sidewinder
G2 does not know the alternate route it cannot know to send the
client the ‘ICMP Redirect’ frame to allow the session to be re-routed.
Configuring Dynamic Routing with RIP D-11

Configuring RIP on the Sidewinder G2
Configuring RIP
on the Sidewinder
G2
Figure D-5. Routed
Configuration window
Entering information on the
Routed Configuration
window
D-12 Configuring Dynamic Routing with RIP
To configure the routed server, using the Admin Console select
Services Configuration -> Routing -> Routed. The following window
appears.
This window allows you to configure a routed server in a specific
burb. Follow the steps below.
1. In the Burb drop-down list, select the burb for which you want to
configure routing.
2. In the Routing information field, select one of the following options:
Yes—Select this option to enable routed to broadcast UDP RIP
updates, advertising all local routing information available within
the burb(s) selected in the Routes from Burbs box.
No—Select this option to disable broadcasting of any UDP RIP
updates.
3. In the As Default Gateway field, select one of the following options:
Yes—Select this option to enable routed to send the default
route.
No—Select this option to disable sending the default route.
4. In the Routes from Burbs box, select the burbs for which routes will be
advertised. (This option is only available if you selected Yes in the
Routing Information field.)

Configuring RIP on the Sidewinder G2
5. In the Receive routing information from other routers field, select one of
the following options:
Yes—Select this option to enable routed to receive UDP RIP
updates from any interface within that burb and update the local
routing table.
No—Select this option to disables the updating of local routing
tables with RIPs received from the local network interfaces.
6. In the Filter type field, determine whether to allow or deny routes using
the following information:
Filtering provides the administrator the ability to both control which
routes the Sidewinder G2 uses to establish external connections, and to
control what routing information is advertised by the Sidewinder G2
from one network to another. This control focuses on two areas.
which external routes are added into a Sidewinder G2’s routing table
from a RIP broadcast received via the network.
which routes in a Sidewinder G2’s routing table are advertised in a RIP
broadcast being sent to an external network.
The possible settings are:
Allow—Specifies that only routes specifically listed will be either
accepted from the network or sent by the routed running in this
burb. If set to Allow, at least one entry must be specified in the
Address/Network/Type/Direction table, or routed cannot be
enabled. Also, all routes will be blocked from being added,
including local network interfaces, unless specifically listed in the
Address/Netmask/Type/Direction table.
Deny—Specifies that routes are accepted and sent unless
specifically listed in the Address/Netmask/Type/Direction table.
Note: There is no provision for allowing some routes and denying other routes.
7. The Address/Netmask/Type/Direction table lists the route filter entries
currently defined for the selected burb. Use the New, Modify, and Delete
buttons to modify this table. See “Defining route filter information” on
page D-14 for details.
When you allow or deny a route, it can be either a host route (indicating
a path to a specific address), or a network route (indicating a path to a
group of common machines).
Route filtering is performed whenever routed is going to add a route
to its local routing table. This means that different routing filters can be
applied to different burbs.
Configuring Dynamic Routing with RIP D-13

Configuring RIP on the Sidewinder G2
Defining route filter
information
D-14 Configuring Dynamic Routing with RIP
The route filter entries highlight one of the major limitations of routed
and the RIP protocol. routed recognizes only the standard class A, class
B, and class C IP network masks (255.0.0.0, 255.255.0.0, and
255.255.255.0). The Sidewinder G2 route filter entries allow more flexible
network masks for forward compatibility.
8. Click the Save icon in the toolbar to save your routed configuration
changes.
The Route Filter Information window appears if you click the New or
Modify button from the Routed Configuration window. The Route
Filter Information window allows you to create a new or modify an
existing route filter. Follow the steps below.
1. In the Type field, select the type of route being defined: host (host route)
or net (network route).
2. In the Address field, specify either the IP address of the host for host
routes, or the network portion of the IP address for network routes.
3. (Network route only) If you selected net in step 1, specify which portion
of the address parameter should be considered valid in the Netmask
field. There are two possible ways to enter the network mask. One is to
use the "dotted decimal" form, such as 255.255.255.0 for class C
networks. The other is to use the hexadecimal representation, which
would be ffffff00 for class C.
4. In the Direction drop-down list, select which direction routed should
apply for this filter. This option provides you with a lot of flexibility in
determining what routing information you accept and provide.
Important: Be careful about what routes you advertise to external users and
about accepting routes from those same external users.
Inbound—Specifies routed will not accept this route from the
network. However, it WILL include this route in an advertisement if
you have selected the Advertise option.
Outbound—Specifies that routed will accept this route from the
network. but NOT advertise this route regardless of the advertise
option setting.
Both—Specifies routed to ignore this route.
5. Click Add to add the route filter to the list and exit the window.

Enabling/
disabling the
routed server
Rule list support
Enabling/disabling the routed server
Another routed feature is rule list support to identify from which
routers to accept RIP packets. The rule list will be based primarily on
the source IP address on the incoming RIP packets. Create these rules
using the Admin Console by selecting Policy Configuration -> Proxy Rules.
Note: A rule must be defined for routed or it will not function.
To allow incoming traffic, create a new rule with the Service Type
field set to "Server" and the service field set to "routed.” The source IP
address can be either a single router who you want to accept RIP
traffic from or a netgroup of routers and/or hosts. The destination IP
address will usually be set to “All Destination Addresses," since the
destination is the broadcast address of the network for the burb the
rule applies to. The source and destination burbs will be equal and
should be set to the burb that you want to receive RIP packets from.
All routed configuration files are located in /etc/sidewinder/routed
with one configuration file per burb named
routed.conf.burb_name. The configuration file contains three rules
which directly correspond to the options available in the cf routed
area.
Perform the following steps to enable or disable the routed server.
1. In the Admin Console, select Services Configuration -> Servers.
2. Select routed from the list of server names.
3. Click a burb to either enable or disable the routed server in that burb.
A check mark appears if the server is enabled for a burb.
4. Click the Save icon in the toolbar.
Configuring Dynamic Routing with RIP D-15

Trace and log information
Trace and log
information
D-16 Configuring Dynamic Routing with RIP
To debug routed you can add the -t flag to the args field of the
routed entry located in /etc/server.conf to enable routed tracing.
server(routed /sbin/routed
config_file[/etc/sidewinder/routed/routed.conf.%n]
directory[]
env(domain[rou%b] user[root] group[wheel] core[]
files[2048]
memory[] processes[500] stack[] rss[])
pidfile(/var/run/routed/routed.pid.%n lock)
valid[0 1 2 3 4 5 6 7 8] enabled[]
require[]
refuse[]
args[-t] roles[$Sys])
Note: You can add one -t flag to routed to increase the tracing level. If you add more
than one -t flag, routed will not start.
All tracing information is logged to the routed log files located in
/var/log/routed/routed.log.burb_name which can be viewed using
standard UNIX commands in the admin role.
A note about flushing filter routes
In the possibility that you misconfigure your routing tables, you will
need to use the Admin Console (or cf routed commands) to disable
routed and make corrections to the tables.
Before restarting routed, enter the following command at a UNIX
prompt to flush the routing tables of all gateways.
route flush

A
A PPENDIX E
Setting Up SmartFilter
Services
About this chapter This chapter describes the SmartFilter Control List. It explains how
to subscribe to the SmartFilter Control List and how to configure
SmartFilter on your Sidewinder G2. It covers the following topics:
Controlling Web
access using the
SmartFilter
Control List
“Controlling Web access using the SmartFilter Control List” on page
E-1
“Evaluating the SmartFilter Control List” on page E-2
“Subscribing to the SmartFilter Control List” on page E-3
“Configuring SmartFilter on the Sidewinder G2” on page E-3
“Editing the SmartFilter files” on page E-8
When you configure the Sidewinder G2 to allow Web access using the
Sidewinder G2’s Web proxy server, you can control the Internet sites
that your company’s users access. This feature is based on Secure
Computing’s SmartFilter Control List.
The SmartFilter Control List contains tens of millions of URLs that are
deemed non-business related or non-productive. Secure Computing
has organized the Control List database into 30 pre-defined categories
plus 10 customizable categories. (See Table E-2 on page E-11.) The
SmartFilter Control List is updated each business day.
SmartFilter can manage Internet access at several levels ranging from
simple access restrictions to thorough blocking of all sites deemed
unproductive or non-business related.
Note 1: For a description of each category, go to www.smartfilter.com.
Note 2: You can control Web access using SmartFilter’s Control List only when users
access the Web through the Web proxy server. See “Configuring the Web proxy server” on
page 12-12 for details. Also, the Control List can restrict access to HTTP URLs, but you
cannot restrict access via a Web browser to FTP or Gopher sites.
E
Setting Up SmartFilter Services E-1

E
Evaluating the SmartFilter Control List
Evaluating the
SmartFilter
Control List
E-2 Setting Up SmartFilter Services
If you are not a current SmartFilter user, you can evaluate the full
Control List or a sample Control List by following the steps contained
in the sections that follow.
Evaluating the full Control List
You can retrieve a 30-day evaluation copy of the full Control List by
performing the following steps:
1. Go to http://www.smartfilter.com.
2. Click on the Product Evaluation option.
3. Select SmartFilter for Sidewinder G2 Firewall from the drop-down list.
4. Click Evaluate this version.
5. Complete and submit the registration form.
Within one business day after you complete and submit the registration
form, you will receive information via e-mail that includes an evaluation
login ID and password. You can then use the ID and password to obtain
a current SmartFilter Control List using the procedure described in the
section titled “About the SmartFilter General tab” on page E-5.
Evaluating the sample Control List
If you want to perform a more immediate SmartFilter evaluation, you
can use the sample Control List provided with the Sidewinder G2. The
sample Control List is initially empty. You can populate the sample
Control List with sites that suit your testing needs by manually adding
those sites to the /etc/sidewinder/smartfilter/site.txt file (see “Editing
the smartfilter.site file” on page E-9). To install the sample Control List,
perform the following steps:
Note: The sample Control List exists only if you have not downloaded a new Control List
from the Secure Computing FTP site. Downloading a new Control List overwrites the
sample Control List that is initially provided on the Sidewinder G2.
1. Using the Admin Console, select Services Configuration -> SmartFilter.
2. On the General tab, click Download and Install Control List Now.
To verify that the sample Control List is installed and not a full Control
List, check the size of the /var/sf file. The sample Control List is
significantly smaller than the full Control List (less than 100 kB).

Subscribing to the
SmartFilter
Control List
Configuring
SmartFilter on the
Sidewinder G2
Subscribing to the SmartFilter Control List
To obtain a subscription to the full SmartFilter Control List, complete
the following steps:
1. Order the SmartFilter service option through Secure Computing or your
reseller.
After you submit your order, you will be mailed an activation certificate
that includes information for obtaining a login ID and password.
2. Once you obtain your login ID and password, you can configure
SmartFilter as described in “Configuring SmartFilter on the Sidewinder
G2” on page E-3.
You will receive a SmartFilter key as part of the subscription process.
While this key is not necessary to run SmartFilter with the Sidewinder
G2, it does allow you to view the number of users that are covered by
the SmartFilter license, as well as the expiration date for the license.
To view this information, at a Sidewinder G2 command line interface
enter the following command:
sf_license license_key
where license_key is the SmartFilter license key value.
For more information on using this utility, refer to the sf_license
man page.
In order to get SmartFilter up and running with your Sidewinder G2,
you will need to do the following:
Set up SmartFilter on the Sidewinder G2.
Download and install the Control List.
Customize alert e-mails and messages.
Setting up SmartFilter on the Sidewinder G2
To ensure that SmartFilter functions properly on the Sidewinder G2
you must do the following:
Important: By default SmartFilter is disabled on the Sidewinder G2. If you do not
perform the following steps, SmartFilter will not be used to perform Web filtering.
Setting Up SmartFilter Services E-3

Configuring SmartFilter on the Sidewinder G2
E-4 Setting Up SmartFilter Services
1. Obtain a SmartFilter login ID and password. (See “Evaluating the full
Control List” on page E-2 or “Subscribing to the SmartFilter Control List”
on page E-3.)
2. Configure the Web Proxy server to allow SmartFilter control lists by
selecting the Enable SmartFilter Control Lists check box on the Web
Proxy Server Configuration tab. (See “Configuring the Web proxy server”
on page 12-12.)
3. Configure filtering options (such as denied file extensions) by creating
the appropriate Web Cache Application Defenses for your WebProxy
rules. See “Creating Web Cache Application Defenses” on page 6-19 and
“Creating proxy rules” on page 7-4.
Note: SmartFilter will not function without at least one active WebProxy rule.
You can create an Application Defense that will deny certain
categories, regardless of the time of day or day of the week. and
add it to a WebProxy rule.
Note: Secure Computing recommends that you set the following categories to
deny: sex, nudity, drugs, criminal activities, hate speech, gambling, extreme, and
anonymizer/translator.
You can create a WebProxy rule to filter certain options during
working hours and a separate rule for filtering during non-working
hours.
You can create WebProxy rules to allow specific access to certain
employees (management, etc.).
4. Configure download options and the remainder of the SmartFilter
options on the SmartFilter Configuration window. (See “Controlling
Web access using the SmartFilter Control List” on page E-1.)
Downloading and installing the SmartFilter Control List
To download and install the SmartFilter Control List, using the Admin
Console select Services Configuration -> SmartFilter. The following
window appears:

Figure E-1. SmartFilter
window: General tab
About the SmartFilter
General tab
Configuring SmartFilter on the Sidewinder G2
The SmartFilter General tab allows you to download and install the
SmartFilter Control List. Follow the steps below.
Note: The Control List is over 50 MB in size, so allow 30 minutes or more for the initial
download to complete before installing it.
To download and install the Control List, follow the steps below:
1. Ensure that the FTP Site field specifies the correct location of the Control
List FTP site (the default site is ftp.smartfilter.com). Do not modify the
default value without consulting Secure Computing Customer Support.
2. Type your SmartFilter username in the Username field. You will not be
able to download the SmartFilter Control List file without entering a
valid username.
3. Type your SmartFilter password in the Password field. You will not be
able to download the SmartFilter Control List file without entering a
valid password.
4. Ensure that the Directory field specifies the correct location of the
Control List on the FTP site. The path is set to /pub/sfv3/lists/sfcontrol by
default.
5. Click Download and Install Control List Now to immediately download
the SmartFilter Control List.
Setting Up SmartFilter Services E-5

Configuring SmartFilter on the Sidewinder G2
E-6 Setting Up SmartFilter Services
6. [Optional] If you want to have the most current SmartFilter Control List
automatically downloaded every week, select the Enable Automated
Download and Install check box and specify the following:
Important: You must update the Control List at least once each month. Failure to
do so will cause the Control List to expire and the filtering options will default to
“allow all” HTTP traffic (that is, no sites will be blocked).
a. In the Frequency field, select Daily (to update the list each day at a
specific time) or Weekly (to update the list on a particular day and
time each week).
b. [Conditional] If you selected Weekly in the previous step, select the
day of the week on which you would like to download the most
current SmartFilter Control List from the Day drop-down list.
c. In the Time field, select the time of day at which you would like to
download the most current SmartFilter Control List. To change the
time, click on the increment you want to change (hour, minute,
second, AM/PM) and use the up and down arrows to specify the
desired time.
Note: While the initial download of the Control List is over 50 MB is size, subsequent
updates are performed using a differential download method, which compares the
existing list to the new list and downloads only new information.
Important: If the SmartFilter Control List expires, the filtering options default to
"allow all" http traffic. This means that no sites are blocked.
7. To view the current version of the control list you are using, click Show
Installed Control List Version Number Now. An Info window appears
displaying the current installed version. When you are finished viewing
the version, click OK.
8. Click the Save icon in the toolbar to save your changes.
Configuring advanced SmartFilter options
To configure advanced SmartFilter options, in the Admin Console
select Services Configuration -> SmartFilter and click the Advanced tab.
The following window appears.

Figure E-2. SmartFilter
Advanced tab
About the SmartFilter
Advanced tab
Configuring SmartFilter on the Sidewinder G2
The SmartFilter Advanced tab allows you to configure e-mail alert
information as well as create a customized message that will appear
when a user attempts to access a site that is denied by SmartFilter.
From this window, you can also access the config.txt file (by clicking
Edit “SmartFilter.conf”) and the site.txt file (by clicking Edit
“SmartFilter.site”) for editing.
1. In the Primary E-mail Contact field, type the e-mail address of the
primary SmartFilter administrator at your company.
2. In the From e-mail: field, type the e-mail address that will appear in the
From field for all e-mail alerts sent to your users. This informs your users
where the alert originated. For example, you may want to use the same
e-mail address as the Primary E-mail Contact.
3. In the Mail Server field, type the fully qualified domain name of your
SMTP Mail Server.
4. Click the Save icon to save the information.
5. [Optional] You also have the option to manually edit any of the
following SmartFilter files:
Edit ‘SmartFilter.conf’—Click this button to manually edit the
config.txt file. See “Editing the SmartFilter files” on page E-8 for
details.
View Coach Text Page—Click this button to display the message
that will appear to users when users attempt to access a site for
which you have allowed coached access. For information on using
the coaching feature, see “Creating proxy rules” on page 7-4.
Setting Up SmartFilter Services E-7

Editing the SmartFilter files
Editing the
SmartFilter files
E-8 Setting Up SmartFilter Services
Edit Coach Text (html)—Click this button to manually edit the
Coach Text page.
Edit ‘SmartFilter.site’—Click this button to manually edit the site.txt
file. See “Editing the smartfilter.site file” for details.
View Denied Text Page—Click this button to view the message that
users will see when they attempt to access a site that is denied. For
information on denying access for specific categories, see
“Creating proxy rules” on page 7-4.
Edit Denied Text (html)—Click this button to create or edit the
message that users will see when they attempt to access a site that
is denied.
Testing your SmartFilter Configuration
After you have configured SmartFilter for use with the Sidewinder G2,
you should test the system to ensure that the filtering options you
specified in the Application Defenses for your rules are working
properly. Using your Web browser, try to access a restricted site and
verify that you receive the desired result.
For example, if you create a WebProxy rule that denies access to news
sites, you can then attempt to access www.cnn.com. If the Web site is
blocked, you will know that SmartFilter is working. If the site is not
blocked, you may need to modify the rule (or the Application
Defense that is used for that rule).
You can edit the SmartFilter configuration file
(/etc/sidewinder/smartfilter/config.txt) and the SmartFilter site file
(/etc/sidewinder/smartfilter/site.txt).
Editing the SmartFilter configuration file
Table E-1 defines each parameter that you can edit in the
etc/sidewinder/smartfilter/config.txt file. The parameters are described
in the order they appear in the config.txt file.

Editing the SmartFilter files
Table E-1. config.txt file options that can be edited using the Admin Console
Parameter Description
primary_email
smartfilter_admin@yourcompany.com
from_email
smartfilter_admin@yourcompany.com
mail_server
mail.yourcompany.com
Editing the smartfilter.site file
Specifies the e-mail address of the
primary SmartFilter Administrator at
your company site.
Specifies mail coming from your
company as SmartFilter mail.
Specifies the name of your mail server.
ftp_site ftp.smartfilter.com Identifies the name of the FTP site
where the control list resides.
ftp_username user1 Identifies the username for accessing
the FTP site where the control list
resides.
ftp_passwd password1 Identifies the password for accessing
the FTP site where the control list
resides.
ftp_path pub/sfcontrol Identifies the directory on the FTP site
where the control list resides.
The smartfilter.site file allows you to make your own unique additions
and exemptions to the SmartFilter Control List. The site file is loaded
when SmartFilter is started. Entries in the site file take precedence
over entries in the Control List provided with the system.
Lines in this file that begin with a # symbol are comments only and
are not processed by SmartFilter. To customize your site file, add
uncommented lines as described in the following sections.
Setting Up SmartFilter Services E-9

Editing the SmartFilter files
E-10 Setting Up SmartFilter Services
Adding a URL to one or more Control List categories
To add a URL to one or more Control List categories, follow the steps
below.
1. Specify a URL, site, or path. You can specify sites, parts of sites (like a
directory path within a site), and individual URLs.
2. Add a space after the site, path, or URL.
3. Add a comma-delimited string of two-letter Control List category codes
in which you want the entry included.
For example:
To restrict: Configure your entry like this:
An entire site: http://www.sexstuff.com sx,os
Part of a site (all URLs
beginning with specified
path):
A single URL without
blocking the rest of a site:
http://www.univ.edu/compsci/~joecollege/
PICS/Girls sx,pp
http://www.bigco.com/HR/jobs.html js
The following table identifies the category codes to use for the
corresponding Control List categories

Table E-2. Category Codes
Editing the SmartFilter files
Control List category Code Control List category Code
art, culture ac cults/occult oc
anonymizer/translator an on-line sales os
chat ch politics, opinion, religion po
criminal skills cs personal pages pp
drugs dr portal sites ps
entertainment et self help sh
extreme ex sports sp
gambling gb sex sx
games gm travel tr
humor hm webmail wm
hate speech hs user defined category 1 u0
investing in user defined category 2 u1
job search js user defined category 3 u2
lifestyle ls user defined category 4 u3
dating mm user defined category 5 u4
MP3 sites (high bandwidth) mp user defined category 6 u5
mature mt user defined category 7 u6
usenet news na user defined category 8 u7
nudity nd user defined category 9 u8
general news nw user defined category 10 u9
Setting Up SmartFilter Services E-11

Editing the SmartFilter files
E-12 Setting Up SmartFilter Services
Exempting a site, path, or URL from restriction
To exempt a site, path, or URL from restriction, follow the steps
below.
1. Specify a URL, site, or path. You can specify sites, parts of sites (like a
directory path within a site), and individual URLs.
2. Add a space after the site, path, or URL.
3. Add the word exempt.
For example:
To exempt: Configure your entry like this:
An entire site: http://www.TV-NEWS.com exempt
A path without
exempting the balance of
the site:
An individual URL without
exempting the balance of
the site:
http://www.sexmag.com/articles exempt
http://www.sexmag.com/HumanResources/jobs/
photographer.htm exempt

A
A PPENDIX F
Basic Troubleshooting
About this appendix This appendix provides basic troubleshooting advice as well as
procedures that require attaching a keyboard and monitor to your
Sidewinder G2, such as performing a full system backup or reimaging
your system. This appendix addresses the following topics:
“Powering-up the system to the Administrative kernel” on page F-2
“Restoring access to the Admin Console” on page F-3
“Backing up system files” on page F-4
“Restoring system files” on page F-8
“Adding hardware to an active Sidewinder G2” on page F-14
“What to do if the boot process fails” on page F-16
“Re-imaging your Sidewinder G2” on page F-17
“If you forget your administrator password” on page F-19
“Interpreting beep patterns” on page F-21
“If a patch installation fails” on page F-23
“Troubleshooting proxy rules” on page F-23
“Understanding FTP and Telnet connection failure messages” on
page F-28
“Troubleshooting High Availability” on page F-29
“Troubleshooting NTP” on page F-34
“VPN troubleshooting commands” on page F-36
F
Basic Troubleshooting F-1

F
Powering-up the system to the Administrative kernel
Powering-up the
system to the
Administrative
kernel
F-2 Basic Troubleshooting
You must be in the Administrative kernel to perform certain system
maintenance tasks such as installing software or creating a full system
backup. Follow the steps below to boot the system to the
Administrative kernel when your Sidewinder G2 is powered OFF.
Important: When you are in the Administrative kernel, all network connections are
disabled and Internet services are not available. Type Enforcement is also disabled.
1. Attach a keyboard and monitor directly to your Sidewinder G2.
Note: If your system has multiple keyboard/monitor connection ports, you must
attach the keyboard and monitor into the same keyboard/monitor connection port
pair (that is, attach both items either to the front connection ports or the back
connection ports).
2. Turn the Sidewinder G2 ON by pressing the power button.
3. When the “Booting Sidewinder Operational kernel” message appears,
press any key (excluding Esc) to interrupt the boot sequence.
The number sequence 4, 3, 2, 1, 0 is displayed as the Operational kernel
is booting. Press any key before the 0 appears. A Boot: prompt then
appears.
4. Enter the following command:
bsd.sw.admin -w
5. Press Enter when asked whether to check and mount all file systems.
The system prompt will appear. At the system prompt, you can perform
any administrative tasks that require the Administrative kernel.
Note: If you have enabled authentication for the administrative kernel, you will be
prompted to log in before the system prompt appears.
6. When you have finished working in the Administrative kernel, reboot or
shut down the system.
Note: See “Rebooting or shutting down using a command line interface” on page 3-
4 to reboot or shut down the system from a command line interface.

Restoring access
to the Admin
Console
Restoring access to the Admin Console
Enabling and disabling authentication for the
administrative kernel
The following steps explain how to enable and disable authentication
for the administrative kernel. By default, administrative kernel
authentication is disabled. This is because it is generally assumed that
the Sidewinder G2 will be housed in a secure location that is not
easily accessible by non-administrators. If your Sidewinder G2 is
housed in an insecure area (that is, non-administrators could easily
gain access to the physical system), you should enable administrative
kernel authentication.
To enable or disable authentication for the administrative kernel,
follow the steps below.
1. Log in to the Admin Console, and select File Editor.
2. Click Start File Editor.
3. Select File -> Open.
4. In the Source field, select Firewall File.
5. In the File field, type /etc/ttys and click OK.
6. To enable or disable administrative kernel authentication, edit the
following line:
console /usr/libexec/getty pccons" ibmpc3 on secure
To require authentication, change the value to insecure.
To disable authentication, change the value to secure.
7. Select File -> Save to save your changes.
8. Select File -> Exit to close the file editor.
If an administrator accidentally configures the active rule group in a
way that prevents an administrator from logging into the Sidewinder
G2 (for example, moving the deny_all rule to the first position or
deleting certain access rules), the following procedure allows you to
regain access.
1. Reboot the Sidewinder G2 to the Administrative kernel. For information
on rebooting to the Administrative kernel, see “Powering-up the system
to the Administrative kernel” on page F-2.
Basic Troubleshooting F-3

Backing up system files
Backing up
system files
F-4 Basic Troubleshooting
2. At a console attached directly to the Sidewinder G2, run the following
script:
restore_console_access
This script will create a temporarily proxy rule called
restore_console_access and adds it to the first position of the active
proxy rule group. This rule allows an administrator to log into the
Sidewinder G2 directly (using a console that is directly attached to the
Sidewinder G2).
3. When the script completes, reboot to the Operational kernel. See
“Rebooting or shutting down using a command line interface” on page
3-4.
4. When the Sidewinder G2 finishes rebooting, log in at a console
attached directly to the Sidewinder G2.
5. Using the command line, identify and correct the problem in your
active proxy rule group that is preventing administrator access. See
Appendix A or refer to the cf acl man page for information on
configuring your active rules via command line.
6. Once you have configured your active rules to allow administrator
access, you will need to delete the restore_console_access rule. If you
do not delete this rule and accidentally misconfigure the active rule
group (displacing the position of the restore_console_access rule), a
new rule cannot be configured and added in the correct position.
You can back up your Sidewinder G2 file system to a digital audio
tape (DAT) using scripts provided with the Sidewinder G2. The
backup (and restore) functions on your system have been modified to
be aware of Type Enforcement. When you restore files (as described
on page A-8), they are automatically restored with the correct Type
Enforcement properties.
The backup and restore procedures described in this section affect the
entire Sidewinder G2 file system, including configuration files, mail
queues, audit trails, and so on. If you want to backup and restore only
the configuration files on your Sidewinder G2, see “Configuration file
backup and restore” on page 3-13 for details.
Tip: Be sure to backup your system on a regular basis! You should already have a backup
copy of the boot diskette as described in the Sidewinder G2 installation documentation.

Backing up system files
The Sidewinder G2 provides scripts for performing a full system
backup and incremental backups. The backup scripts listed in Table
F-1 are provided in the /etc/backups directory. The log file for
backups is stored in /var/log/backup.log.
Table F-1. Sidewinder G2 backup scripts
Backup Type Backup script What it does
Full backup ./level0.backup Backs up everything
Incremental
backup
Performing a full system backup (level0)
Use the /etc/backups/level0.backup script to back up all of the
file systems on your Sidewinder G2. The file systems that exist on
your Sidewinder G2 may vary depending on how you have
configured your Sidewinder G2. The file systems that are backed up
may include the following (as well as any other file systems that you
have on your Sidewinder G2):
/
/var
/usr
/home
/var/log
/var/spool
./do.dump fs level
filenum
Backs up the specified file
system and labels it with the
specified filenum
Note: If your Sidewinder G2 has multiple hard disks, resulting in re-partitioning of a file
system, the backup scripts will manage that for you. The scripts also support backups that
span multiple tapes.
To perform a full (level 0) system backup, follow the steps below.
1. Attach a keyboard and monitor directly to your Sidewinder G2.
Note: If your system has multiple keyboard/monitor connection ports, you must
attach the keyboard and monitor into the same keyboard/monitor connection port
pair (that is, attach both items either to the front connection ports or the back
connection ports).
Basic Troubleshooting F-5

Backing up system files
F-6 Basic Troubleshooting
2. Enter the following command on your Sidewinder G2 system to reboot
to the Administrative kernel:
shutdown -g now
3. Press Enter when asked whether to check and mount all file systems.
The system prompt will appear.
Note: If you have enabled authentication for the administrative kernel, you will be
prompted to log in before the system prompt appears.
4. Insert a backup DAT in the Sidewinder G2’s tape drive and wait for the
tape to reach its load-point.
5. Enter the following command to run the full backup script:
/etc/backups/level0.backup
The backup process will take several minutes. You will see a “DUMP IS
DONE” message for each file system. When the backup is complete, the
# prompt appears and the tape ejects.
6. Label the tape (include type of backup, date, time, and so on).
7. Reboot the system to the Operational kernel by entering the following
command:
shutdown -r now
Performing an incremental backup
The /etc/backups/do.dump command allows you to use several
different options that track which files have changed since the last
time you backed up, so that you are not doing full backups each time.
This allows you to back up only the files that have changed since the
last backup. For example, your first system backup would be a full
backup (Level 0). The next time you back up, you would assign a
backup level (a number from 1 to 9); for example, you could label it
backup Level 1. The Level 1 backup procedure would check your file
system, searching for files that were not backed up in Level 0. Only
those files would be written to the tape. The next time you did an
incremental backup, it would back up only the files that had changed
since the previous Level 1 backup.
Note: While incremental backups can eliminate multiple copies of unchanged files, using
incremental backups does increase the duration and complexity of the restore process. If
you have a fast tape drive and the level 0 backup fits onto a single tape, you may want to
consider performing only level 0 backups.

Performing an incremental
backup
Backing up system files
Tip: How often you should perform incremental backups depends on many factors, such
as how much your system is used. The UNIX System Administration Handbook offers
several types of schedules that meet various needs.
The following example shows an incremental backup (Level >0) that
backs up four file systems. The backed up files are labeled file 1
through file 4.
Level 5 dump for /var as file 1 to /dev/nrst0 on Fri Feb
17 03:00:03 CST 1995
Level 5 dump for /usr as file 2 to /dev/nrst0 on Fri Feb
17 03:00:11 CST 1995
Level 5 dump for / as file 3 to /dev/nrst0 on Fri Feb 17
03:01:33 CST 1995
Level 5 dump for /var/log as file 4 to /dev/nrst0 on Fri
Feb 17 03:06:10 CST 1995
The following example performs an incremental backup of the /usr
file system. The tape will not be rewound, and the backed up file will
not be compressed.
1. Attach a keyboard and monitor directly to your Sidewinder G2 and
reboot.
Note: If your system has multiple keyboard/monitor connection ports, you must
attach the keyboard and monitor into the same keyboard/monitor connection port
pair (that is, attach both items either to the front connection ports or the back
connection ports).
2. Enter the following command at the command prompt:
shutdown -g now
3. Press Enter when asked whether to check and mount all file systems.
The system prompt will appear.
Note: If you have enabled authentication for the administrative kernel, you will be
prompted to log in before the system prompt appears.
4. Insert a backup DAT into the tape drive and wait for the tape to reach its
load-point.
5. Type the following command to run the incremental backup script,
Important: You must type this command for each file system except /tmp.
/etc/backups/do.dump /usr level filenum
where:
level = the backup level (see Incremental backup on “Performing
an incremental backup” on page F-6)
Basic Troubleshooting F-7

Restoring system files
Restoring system
files
F-8 Basic Troubleshooting
filenum = a file number, indicating the position on the backup
tape. For example, if this is the second file system on the tape the
value for this parameter should be 1 (the first file system will be at
position 0). For more information on how this parameter is used,
see “Performing an incremental restore via the do.restore script” on
page F-11.
This command backs up the /usr file system to the “no rewind” tape
device (usually /dev/nrst0) and labels it.
You will see a “DUMP IS DONE” message for each file system. When the
backup is complete, the # prompt appears.
6. When you have finished all incremental backups, rewind and eject the
DAT by entering the following command:
mt o
7. Label the tape, indicating the type of backup, date, and time. You
should also record the file systems that were backed up along with the
corresponding file number (filenum) and mount point in case the file
system order changes over time.
8. Reboot the system to the Operational kernel by entering the following
command:
shutdown -r now
In the unlikely event that your Sidewinder G2’s hard disk needs to be
replaced, you will need to restore the file system that you have
backed up. You will also need to do a full system restore if you add
hardware (for example, memory or disk space) to your active
Sidewinder G2.
The restore process allows you to restore your Sidewinder G2 to your
last level 0 backup without reconfiguring your system. To do this,
follow the instructions in “Performing a full system restore” on page F-
9. Then use the procedure in “Performing an incremental restore via
the do.restore script” on page F-11 to restore files from your
incremental backup tapes.
When you restore files, they are automatically restored with the
correct Type Enforcement properties.
The Sidewinder G2 provides the capability to restore files from a full
system backup (Level 0) or incremental backup tape (see Table F-2).

Table F-2. Sidewinder G2 restore scripts
Restore Type Restore method What it does
Restoring system files
Full restore via boot process Restores your Sidewinder G2
from the level 0 backup tape
Incremental
restore
Important: You must perform all incremental restore operations from the
Administrative kernel.
Performing a full system restore
Use the following procedure to restore your Sidewinder G2 using a
level 0 backup. The restore process allows you to restore your
Sidewinder G2 to your last level 0 backup without reconfiguring your
system.
Caution: When you perform this procedure, all existing data will be overwritten by your
last level 0 backup. Any files or directories added since the level 0 backup will be lost.
1. Attach a keyboard and monitor directly to your Sidewinder G2 and
reboot.
Note: If your system has multiple keyboard/monitor connection ports, you must
attach the keyboard and monitor into the same keyboard/monitor connection port
pair (that is, attach both items either to the front connection ports or the back
connection ports).
2. Enter the following command on your Sidewinder G2.
shutdown -h now
3. Once the system is halted, insert the Sidewinder G2 product CD-ROM,
and then power off the system.
4. Power up the system.
./do.restore
filenum
Tip: See the Sidewinder G2 installation and configuration documentation for
additional details on the Installation Wizard.
5. Press Enter when the Installation Wizard appears.
Restores the specified file
system from the specified
filenum
6. In the Installation Type window, use the down-arrow to move to the
Restore Full System Backup option, and then press the space bar to
select it.
Basic Troubleshooting F-9

Restoring system files
F-10 Basic Troubleshooting
7. Tab to Continue and then press Enter.
The Restore Full System Backup command will prompt you to insert a
backup DAT; this is the DAT that you created when you did the level 0
backup.
8. Change partitioning information if needed.
During the boot process the Default Disk Allocation screen displays the
default values. If you need to modify the values, tab to Configure and
then press Enter.
Note: You may need to modify these values if you have installed new hardware.
Otherwise, it is recommended that you use either the default values or whatever
values that were set when the system backup was performed.
9. Insert the DAT and wait for the tape to reach its load-point. Press Enter
to initiate the restore process. The restore process will repartition the
drives and reload all of the system files from the tape.
10. When the restore is finished, the following message will appear:
File restore complete.
11. Remove the DAT and CD-ROM from their respective drives.
12. Press Enter to reboot. The system then reboots to the Administrative
kernel.
13. If needed, restore any incremental backups. See “Performing an
incremental restore via the do.restore script” on page F-11 for
information.
14. Perform a new full system (level 0) backup. See “Performing a full system
backup (level0)” on page F-5.
Important: Do this even if you have not restored any old incremental backups.
Performing a new level 0 backup might seem unnecessary at this point, but it must be
done in order for future incremental backups to remain in sync with the new file
structure. Problems will likely occur if you do a new incremental backup at a later
date and then try to restore the system without having first done a full system (level
0) backup.
15. When the full system backup is complete, enter the following
command to reboot to the Operational kernel:
shutdown -r now

Restoring system files
Performing an incremental restore via the do.restore
script
As noted earlier in this section, the Sidewinder G2 file systems are
stored as separate files on the backup tape. To restore a file system,
you can use the do.restore script in the /etc/backups directory.
Incremental restores must be performed from the Administrative
kernel.
Follow these steps to restore files on the Sidewinder G2:
Caution: If you are restoring the root (/) file system, DO NOT restore the /shlib directory,
which contains shared libraries. If you restore this directory, the system will hang and you
will not be able to reboot it. To restore this file system, first use the add command to restore
all files. Then use the delete command to delete the /shlib directory from the list of files.
Extract the files as usual.
1. Attach a keyboard and monitor directly to your Sidewinder G2 and
reboot.
Note: If your system has multiple keyboard/monitor connection ports, you must
attach the keyboard and monitor into the same keyboard/monitor connection port
pair (that is, attach both items either to the front connection ports or the back
connection ports).
2. Reboot the system to the Administrative kernel by entering the
following command:
shutdown -g now
3. Press Enter when asked whether to check and mount all file systems.
The system prompt will appear.
Note: If you have enabled authentication for the administrative kernel, you will be
prompted to log in before the system prompt appears.
4. Insert your backup DAT into the tape drive. Use the DAT on which you
backed up your files.
5. Type df to display the file system on the current Sidewinder G2.
Important: The file system on the current Sidewinder G2 may not reflect the order
in which the file systems were backed up on a back up tape!
Basic Troubleshooting F-11

Restoring system files
F-12 Basic Troubleshooting
For example, the output might look like this:
Filesystem 512-blocksUsed Avail Capacity Mounted on
/dev/sd0a 21150 14392 4642 76% /
/dev/sd0d 123903 86320 25192 77% /var
/dev/sd0e 123903 86320 25192 77% /var/log
/dev/sd0g 3837972 939306 2514868 27% /usr
/dev/sd1a 4047224 2131220 1511280 59% /home
6. Use the cd command to switch to the appropriate directory.
Switch to the directory shown in the “Mounted on” column, as shown in
the previous step.
7. Position the tape and invoke the restore script by entering the following
command.
/etc/backups/do.restore filenum
Note: You must enter this command for each file system that you want to restore.
The filenum variable refers to the order in which the file system
appears on the backup tape. For example, typing do.restore 0 will
position the tape to restore the first file system that was backed up. In
the example list shown in step 5, the first file system backed up was /.
Typing do.restore 4 will forward the tape four file systems from the
first one. (This script automatically rewinds the tape first.) Based on the
example in step 5, the tape would move to /home.
After you type the command, you are in the interactive mode for the
restore command (the prompt is restore>).
8. Type the command you want to use to build the extract list.
You can type any of the commands listed in Table F-3.
These commands build the extract list, but relative to the current
directory specified in step 4. For example, use the add command to add
files to the list of the ones you want to restore. A restore is not started
until the next step is completed.

Table F-3. Restore Script Commands
Command What it does
ls directory Lists contents of the specified directory
cd directory Changes to specified directory
Restoring system files
pwd Prints the full path name of the current working
directory
add directory
add file
delete directory
delete file
9. After you have selected the files, enter the extract command.
10. When prompted, enter the volume number by typing 1 and press Enter.
You will be asked whether you want to change owner/mode/types for
the current working directory.
11. Type y or n and press Enter.
Adds directory or file to list of files to be extracted
Important: If you are restoring the root file system,
see Caution on page F-11!
Deletes directory or file from list of files to be
extracted
extract Extracts all files that were added to the list
setmodes Sets modes of requested directories
quit Exits program immediately
what Lists dump header information
verbose Toggles verbose flag (useful with ls command)
help or ? Prints this command list
You should almost always type n to prevent the owner/mode/types in
the current working directory from being changed.
12. To exit the restore script, type quit at the >restore prompt.
13. Repeat step 6 through step 12 for other file systems you want to restore.
Basic Troubleshooting F-13

Adding hardware to an active Sidewinder G2
Adding hardware
to an active
Sidewinder G2
F-14 Basic Troubleshooting
14. When you are finished restoring files from the DAT, rewind and eject the
tape by entering the following command:
mt o
15. Reboot to the Operational kernel by entering the following command:
shutdown -r now
Restoring configuration files using the command line
If you need to restore your Sidewinder G2 to a backup configuration
saved on floppy diskette and do not have access to the Admin
Console, use the following steps to restore your configuration backup
via the command line.
1. Insert the configuration backup diskette in the Sidewinder G2’s diskette
drive.
2. At a Sidewinder G2 command prompt, enter the following command:
cf config restore loc=floppy
3. The Sidewinder G2 restores the configuration files. If your backup
configuration uses multiple diskettes, you will be prompted when you
need to remove the current diskette and insert the next diskette.
4. When restore process is complete, remove the diskette and reboot.
Important: The version of the configuration backup must match the version on the
Installation–Disk Imaging CD used during the restore process. Avoid complications by
backing up your configuration after every upgrade.
You can use the full system (level 0) restore process if you want to
add hardware (for example, memory or disk space) to your active
Sidewinder G2, or if you are moving to a new chassis.
Note: The best time to add memory or disk space is before you install your Sidewinder G2
software. When you have completed the procedure, the Sidewinder G2 will automatically
detect the new memory and disk space.

To add hardware, follow these steps.
Adding hardware to an active Sidewinder G2
Note: You do not need to perform this procedure if you are adding network devices.
1. Attach a keyboard and monitor directly to your Sidewinder G2 and
reboot.
Note: If your system has multiple keyboard/monitor connection ports, you must
attach the keyboard and monitor into the same keyboard/monitor connection port
pair (that is, attach both items to the front connection ports or both in the back
connection ports).
2. Perform a level 0 backup of your system.
Important: You must back up your software system because you will be
repartitioning the disk drives in step 7, and you will need a full backup to restore the
system. Given the significance of this backup, it is a good idea to perform two level 0
backups, in case there is a problem with the first backup. See “Backing up system
files” on page F-4 for instructions on performing a level 0 backup.
3. Type the following command to halt the system.
shutdown -h now
4. Power off the system.
5. Add the new hardware to your system.
Be sure to take the necessary precautions to prevent accidental
electrostatic shock.
6. Power up the system and quickly insert the Sidewinder G2 Installation–
Disk Imaging CD-ROM.
Tip: See the Sidewinder G2 installation and configuration documentation for
additional details.
7. Press Enter when the Installation Wizard appears.
8. In the Installation Type window, use the down-arrow to move to the
Restore Full System Backup option, and then press the space bar to
select it.
9. Tab to Continue and then press Enter.
The Restore Full System Backup command will prompt you to insert a
backup DAT; this is the DAT that you created when you did the level 0
backup.
10. Change partitioning information, if needed.
During the boot process the Default Disk Allocation screen displays the
default values. If you need to modify the values, tab to Configure and
then press Enter.
Basic Troubleshooting F-15

What to do if the boot process fails
What to do if the
boot process fails
F-16 Basic Troubleshooting
Note: You may need to modify these values if you installed new hardware.
Otherwise, it is recommended that you use either the default values or whatever
values that were set when the system backup was performed.
11. Insert the DAT and wait for the tape to reach its load-point. Press Enter
to initiate the restore process. The restore process will repartition the
drives and reload the system files from the tape.
12. When the restore is finished, the following message will appear: File
restore complete.
13. Remove the DAT and CD-ROM from their drives.
14. Press Enter to reboot the system to the Administrative kernel.
15. If needed, restore any incremental backups. See “Performing an
incremental restore via the do.restore script” on page F-11 for
information.
16. Perform a new full system (level 0) backup.
Important: Do this even if you have not restored any old incremental backups.
Performing a new level 0 backup might seem unnecessary at this point, but it must be
done in order for future incremental backups to remain in sync with the new file
structure. Problems are likely to occur if you perform a new incremental backup at
some later date and then try to restore the system without having first performed a
full system backup.
17. When the full system backup is complete, enter the following
command to reboot to the Operational kernel:
shutdown -r now
Boot failure may be caused by the fsck command. This command is
run as part of the system boot process. If this command fails, the
Sidewinder G2 will not boot properly. If the boot process fails, you
will need to attach a keyboard and monitor and repower the system.
If you see a # prompt (indicating that the fsck command failed), type
the following at the # prompt to fix any disk problems:
ind Kern /sbin/fsck -p
Then restart the system by entering shutdown -r now at the
command prompt.

Re-imaging your
Sidewinder G2
System reboot messages
Re-imaging your Sidewinder G2
During a system reboot, certain system events will cause messages to
be stored in the audit holding area prior to auditd being started.
When auditd starts, one or more blue messages stating “sacopen:
transferred 1 records from hold” may appear on the console’s
display. This merely indicates that the messages stored in the audit
holding area were transferred to the audit stream. Normally, these
messages can be ignored.
If you need to re-image your Sidewinder G2 configuration, follow the
steps below. You will need both your Sidewinder G2 Installation–Disk
Imaging CD-ROM and your configuration backup diskette. (You may
need to use this process if your original configuration was incorrect.)
Note: Any changes you made to the multi-processor configuration (mp.config) file, will
be overwritten during the re-installation process.
1. Attach a keyboard and monitor directly to your Sidewinder G2.
Note: If your system has multiple keyboard/monitor connection ports, you must
attach the keyboard and monitor into the same keyboard/monitor connection port
pair (that is, attach both items either to the front connection ports or the back
connection ports).
2. Insert the Installation–Disk Imaging CD into the drive and reboot (or
power on) the system. The system boots from the CD and displays
standard boot-up information. When the system finishes booting, the
Sidewinder G2 software Installation Wizard Welcome window appears.
3. Press Enter. The Installation Type window appears.
4. Press Enter to accept Install as the installation type and continue with
the installation.
5. Review the system information. If necessary, tab between the window
information and the Continue button.
6. Make sure the Continue button is highlighted and press Enter.
7. Press Enter to accept the default disk partitioning.
Note: In most situations, the default partitioning should be appropriate. Only
experienced administrators should change the default disk partitioning.
8. Tab to highlight Yes.
9. Press Enter. The Installation Wizard will erase your system’s hard drive
and re-install the Sidewinder G2 software.
Basic Troubleshooting F-17

Re-imaging your Sidewinder G2
F-18 Basic Troubleshooting
Caution: If you answer Yes at this point, your system’s hard drive will be erased.
Depending on the size of your hard drive, this process may take some time (from
30 to 120 minutes for a 20 GB hard drive).
10. Press Enter. The Installation window appears.
11. Tab to Done and press Enter.
12. Remove the CD-ROM and insert your Configuration Wizard floppy
diskette in the Sidewinder G2’s diskette drive.
13. Press Enter to reboot the system. The Sidewinder G2 automatically loads
the configuration information from the Configuration Wizard floppy
diskette. When this process completes:
If configured to auto-activate, the system will initialize and access
the Secure Computing activation server. During this time, the
system will reboot, then emit two beeps indicating the Sidewinder
G2 is active.
Note: The Sidewinder G2 will try to send the activation request for one minute. If the
activation is not successful in that time, you must activate your Sidewinder G2 using
the Admin Console.
If configured for manual activation, the system will initialize and
start in Safe mode. After about seven minutes, a four-beep pattern
begins and continues (every 30 seconds) until the Sidewinder G2
license is activated. The Sidewinder G2 will not pass traffic until it is
activated.
Note: Safe mode indicates that Sidewinder G2 is now networked, but not passing
traffic. Traffic will only be passed once your Sidewinder G2 licensed is activated.
14. Remove the Configuration Wizard diskette and store it in a safe location.
15. [Conditional] If you applied any system patches to your Sidewinder G2
prior to making your last configuration backup, you will need to load
and install to your previous patch level before you apply the
configuration backup diskette. (For information on loading and
installing patches, see “Loading and installing patches” on page 3-41.)
16. Restore your Sidewinder G2 configuration data. See “Restoring
configuration files using the Admin Console” on page 3-18.

If you forget your
administrator
password
If you forget your administrator password
If you forget your administrator password, you can change your
password on the Sidewinder G2 itself by booting to the administrative
kernel.
Important: By default, the administrative kernel does not require authentication.
However, if you have configured your system to require administrative kernel
authentication, you will need to temporarily disable authentication using the
maintenance mode option before you can access the administrative kernel and change
your password. For information on disabling administrative kernel authentication when
you have forgotten your password, see “Using maintenance mode to disable
authentication when you have forgotten your password” on page F-20.
Changing your password in the administrative kernel
Follow the steps below to change your password in the administrative
kernel.
1. Attach a keyboard and monitor directly to your Sidewinder G2 and
reboot.
Note: If your system has multiple keyboard/monitor connection ports, you must
attach the keyboard and monitor into the same keyboard/monitor connection port
pair (that is, attach both items either to the front connection ports or the back
connection ports).
2. When the "loading/boot . . . . . ." message appears, press
any key to interrupt the boot sequence.
The number sequence 4, 3, 2, 1, 0 is displayed as the Operational
kernel is booting. Press any key before the 0 appears. A Boot: prompt
then appears.
3. Enter the following command:
bsd.sw.admin -w
4. Press Enter when asked whether to check and mount all file systems.
The system prompt will appear.
5. Enter the following command to change your password:
cf adminuser modify user=name password=newpassword
6. To reboot to the Operational kernel, enter the following command:
shutdown -r now
You can now log in using your new password.
Basic Troubleshooting F-19

If you forget your administrator password
F-20 Basic Troubleshooting
Using maintenance mode to disable authentication
when you have forgotten your password
If you have configured your system to require administrative kernel
authentication and you forget your password, you will need to
temporarily disable administrative kernel authentication using the
maintenance mode option, as described below.
1. Attach a keyboard and monitor directly to your Sidewinder G2.
Note: If your system has multiple keyboard/monitor connection ports, you must
attach the keyboard and monitor into the same keyboard/monitor connection port
pair (that is, attach both items either to the front connection ports or the back
connection ports).
2. Insert the Sidewinder G2 Installation–Disk Imaging CD-ROM in the
Sidewinder G2’s CD drive, and then power off the system.
3. Power up the system. Click Continue when the Installation Wizard
appears.
4. On the Installation Type window, use the down arrow to scroll to the
Maintenance Mode option, and press the space bar to select it.
5. Tab to Continue and press Enter. The shell prompt appears.
6. Open the /etc/ttys file for editing.
7. Modify the value of the following line to be secure:
console /usr/libexec/getty pccons ibmpc3 on secure
8. Save your changes and exit.
9. At the shell prompt, type exit and press Enter. The Install Wizard
appears.
10. See “Changing your password in the administrative kernel” on page F-
19 for information on changing your password in the administrative
kernel.

Interpreting beep
patterns
Interpreting beep patterns
Manually clearing an authentication failure lockout
If you have enabled the authentication failure lockout option and
have been locked out of your system, another administrator can log in
to the system and clear the lock using the Admin Console (see
“Configuring authentication services” on page 9-11). However, if you
do not have another administrator who can clear your lock for you,
you can still manually clear your lock by successfully logging in at the
Sidewinder G2, as follows:
1. Attach a keyboard and monitor (or laptop) directly to your Sidewinder
G2.
Note: If your system has multiple keyboard/monitor connection ports, you must
attach the keyboard and monitor into the same keyboard/monitor connection port
pair (that is, attach both items either to the front connection ports or the back
connection ports).
2. [Conditional] If the Sidewinder G2 does not detect the keyboard and
monitor (or laptop), reboot the Sidewinder G2. When the Sidewinder
G2 has booted, the login prompt appears.
3. Log in to the Sidewinder G2. When you successfully log in directly on
the Sidewinder G2, the lock will be cleared automatically and you
should be able to log in to the Sidewinder G2 as usual.
At times, your Sidewinder G2 may emit a beep pattern. The beep
pattern may repeat itself until the issue is addressed. This is the
Sidewinder G2’s way of communicating to you its status and what
needs to happen next. Refer to this chart to interpret the various
patterns and take the appropriate action.
Basic Troubleshooting F-21

Interpreting beep patterns
Table F-4. Sidewinder G2 beep patterns
What you hear What it means What you should do
TWO (2) short beeps
(non-repeating)
THREE (3) short beeps
(repeating)
FOUR (4) short beeps
(repeating)
FIVE (5) short beeps
(repeating)
ONE (1) medium beep
THREE (3) short beeps
F-22 Basic Troubleshooting
Sidewinder G2 successfully
rebooted and is now passing
traffic
Configuration Wizard floppy
diskette is not in its drive
Errors on Configuration Wizard
floppy diskette
(non-content errors)
Unlicensed Sidewinder G2
running in Safe Mode
No action needed, the Sidewinder G2 is
operational.
Insert the Configuration Wizard diskette.
Try again with a new Configuration Wizard floppy
diskette.
If you get this beep pattern upon the initial
installation, do one of the following:
— license the Sidewinder G2 (see
Chapter 3 for details)
— attach a serial console or
monitor and keyboard, then
enter the following command:
stop_beep
Note: Using this command only turns off the beep
pattern, but does not make your Sidewinder G2 fully
operational. You must license the Sidewinder G2
before it will pass and monitor traffic.
Network failure If you get this beep sequence while the
Sidewinder G2 is licensed, troubleshoot your
network connectivity.
Remove media from the
Sidewinder G2
Managed Sidewinder G2 failed
to register with the EM server
Note: This beep pattern can
only occur on a managed
Sidewinder G2.
Remove media and reboot.
Verify the Sidewinder G2 name, registration key,
and administration user name and password
information. Then try again manually to register
the Sidewinder G2 to the EM server.
More...

What you hear What it means What you should do
Long beep followed by
n short beeps
(repeating)
(where n = sequential number
of floppy diskettes to be
installed)
Long beep
(repeating)
If a patch
installation fails
Troubleshooting
proxy rules
Ready for next floppy diskette in
configuration backup
If a patch installation fails
Insert the next floppy diskette in your
configuration backup.
Task failed Contact Customer Support
(if you have a support contract)
Re-install or perform a configuration restore.
In the unlikely event the patch installation fails, the Sidewinder G2
will not be operational, and will instead boot into failure mode. A
message appears when you log in to the Sidewinder G2 and it is in
failure mode.
Failure mode enables the Sidewinder G2 to boot far enough to allow
an administrator to log in. The administrator can then display the log
files and perform diagnostic functions in an effort to determine what
went wrong.
Important: Unless you are an extremely experienced Sidewinder G2 administrator,
please contact Secure Computing Technical Support if your Sidewinder G2 boots into
failure mode.
After correcting the problem you should perform the following steps:
1. Exit failure mode by typing the following command:
cf daemond set failure_mode=off
2. Reboot the Sidewinder G2.
Note: For more information on failure mode, see “daemond” on page 1-12.
The following sections provide information on troubleshooting basic
proxy rule problems. For additional information on troubleshooting
proxy rules, refer to the cf_proxy man page.
Basic Troubleshooting F-23

Troubleshooting proxy rules
F-24 Basic Troubleshooting
Failed connection requests
If the Sidewinder G2 rejects a connection request that you feel should
have succeeded, you can take steps to determine why the connection
was rejected. The steps shown below will help you to locate and
correct rule configuration errors. They will also help you gain a better
understanding of how those rules work.
1. Start the Admin Console and select Services Configuration -> Proxies.
Verify that the appropriate proxy is enabled. The most common mistake
is failing to enable the service type indicated by the proxy rule.
Tip:Verify that all appropriate servers are enabled as well.
2. Select Policy Configuration -> Rules.
Verify that the proxy rule for the proxy or server specifies the correct
network. You need to enable the service type on the correct network to
listen for incoming connections. In the Rules Source/Dest tab, this
corresponds to the Source Burb column.
3. Verify the position of the rules within the Active Rules window. (Select
Policy Configuration -> Rules -> and then click View Active Policy).
The order of the rules in the Active Rules window is important. The
attributes of a connection request sometimes may match more than
one proxy rule. See “Creating proxy rules” on page 7-4 for a detailed
example.
4. Check the audit log information.
If the connection still fails, scan the audit log to determine which proxy
rule denied the connection. See Chapter 18 for details on viewing audit.
The below displays a common scenario, a connection that failed to
match a rule:
Apr 29 16:52:29 2002 CDT f_nss a_server t_acldeny
p_major
pid: 27122 ruid: 0 euid: 0 pgid: 188 fid: 2000001
logid: 0 cmd: ’nss’
domain: nss1 edomain: nss1 srcip: 172.17.9.27
srcburb: 1 dstip: 172.17.9.27 dstburb: 1 protocol: 6
service_name: telnet agent_type: server user_name:
authmethod: acl_id:
cache_hit: 0
5. Turn on verbose auditing of rule (ACL) checks.

Troubleshooting proxy rules
To determine why no proxy rule matched the connection request, type
the following command to turn on verbose auditing of rule checks:
cf acl set loglevel=4
This increases the level of rule audits from the default level 2 (minor) to
level 4 (major).
Note: Modifications to the log level setting will not be overwritten if acld is
restarted. To return the log level to its default value, you must manually reset it.
When the connection attempt is rejected, the proxy or server will
generate a more verbose audit message as shown below:
May 5 02:37:42 2002 CDT f_ping_proxy a_aclquery
t_info p_major
pid: 184 ruid: 0 euid: 0 pgid: 184 fid: 2000001
logid: 0 cmd: 'pingp'
domain: Ping edomain: Ping
+|pingp|INFO|MAJOR|PING_PROXY|aclQUERY
=Skipped 'http_out': query service 'ping' != rule
'http'.
Skipped 'telnet_external': query agent 'proxy' !=
rule 'server'.
Skipped 'http_ssl_out': query service 'ping' != rule
'https'.
Skipped 'ftp_out': query service 'ping' != rule
'ftp'.
Skipped 'telnet_out': query service 'ping' != rule
'telnet'.
Skipped 'nntp_out': query service 'ping' != rule
'nntp'.
Skipped 'real_media_out': query service 'ping' !=
rule 'RealMedia'.
Skipped 'rtsp_out': query service 'ping' != rule
'rtsp'.
Skipped 'gopher_out': query service 'ping' != rule
'gopher'.
Skipped 'finger_out': query service 'ping' != rule
'finger'.
Basic Troubleshooting F-25

Troubleshooting proxy rules
F-26 Basic Troubleshooting
Skipped 'dns_self': query service 'ping' != rule
'dns'.
Skipped 'smtp_out': query service 'ping' != rule
'smtp'.
Skipped 'smtp_in': query service 'ping' != rule
'smtp'.
Skipped 'cobra_all': query agent 'proxy' != rule
'server'.
Skipped 'login_console': query agent 'proxy' != rule
'server'.
Access denied by rule 'deny_all'.
You can use this output to determine why each proxy rule failed to
match the connection request. Locate the proxy rule that you thought
should have matched. Then inspect and correct the proxy rule.
Note: When you are done troubleshooting, type the following command to lower
the level of rule audits back to the default:
cf acl set loglevel=2
If you do not set the loglevel back to 2, you will run out of disk space.
Monitoring allow and deny rule audit events
Another troubleshooting tool is the rule monitoring tool (acat_acls).
This real-time monitoring tool enables you to display allow and deny
rule audit events as they occur on the Sidewinder G2. Because the
rule audit events are displayed in real-time, this tool provides a
Sidewinder G2 administrator a unique window by which to view
Sidewinder G2 rule activity. You can use the tool to determine if your
rule database is properly configured, or to simply view how your
rules are being used on a live system.
For example:
If you are not certain whether your Telnet rule is properly
configured, you can start the monitoring tool, attempt your Telnet
connection and see (in real-time) whether the connection is
allowed or denied.
If you want to see (in real-time) which rules are currently the most
heavily used, start the monitoring tool and watch as the current
rule audit events scroll by within a command window.

Starting the rule
monitoring tool (acat_acls)
Viewing the output from
the rule monitoring tool
Halting and resuming rule
monitoring tool output
Stopping the rule
monitoring tool
Troubleshooting proxy rules
The remainder of this section provides information on using the
monitoring tool. Information can also be found by typing
man acat_acls at a Sidewinder G2 command prompt.
To start the rule monitoring tool, enter the following commands at a
Sidewinder G2 command prompt:
srole
/usr/bin/acat_acls -a -d
where:
-a = display allow rule audit events
-d = display deny rule audit events
If you want to view only allow rule audit events or only deny rule
audit events, simply omit the undesired option (-a or -d).
Each rule audit event is displayed on a single 80-character line using
the following format:
Action Date Time Source Source Dest. Dest. Service Agent
Burb IP Burb IP
The source burb and the destination burb fields will display the burb
index number, not the burb name. The following example shows both
an allow rule audit event and a deny rule audit event:
DENY 02/05/05 02:41:04 2 192.168.179.76 1 192.168.180.87 ping proxy
If the output from the monitoring tool is scrolling by too quickly, you
can temporarily halt the output by pressing the following key
combination:
Ctrl-S
To resume output, press the following key combination:
Ctrl-Q
To stop the rule monitoring tool, press the following two keys
simultaneously:
Ctrl-C
Basic Troubleshooting F-27

Understanding FTP and Telnet connection failure messages
Understanding
FTP and Telnet
connection failure
messages
F-28 Basic Troubleshooting
Active rules and the DNS
If you create a proxy rule that contains a host name or a domain
name, that rule will consult the Domain Name System (DNS) in order
to translate the name to its corresponding IP address. Because of this,
there are some facts related to DNS that you should consider when
setting up your security policy.
The Sidewinder G2 can be configured to use transparent DNS, one
DNS server (known as single or unbound DNS), or two DNS servers
(known as split DNS). The split DNS scenario is the most secure, as
one DNS server is dedicated to your Internet burb and the second
DNS server services your remaining burbs. This essentially isolates the
two DNS servers from each other, protecting your non-Internet burbs
from attacks by malicious persons on the Internet.
However, it is theoretically possible for attackers on the Internet to
feed false information to your Internet DNS server. Therefore, you
should be careful when using rules to allow or deny access to specific
hosts on the Internet.
When dealing with outside connections, there are steps that you can
take to increase the level of assurance:
1. Use IP addresses in your proxy rule instead of host names or domain
names. This avoids having to depend on external DNS.
2. Make the proxy rule demand strong authentication (for example,
SafeWord).
3. Make the proxy rule demand encryption of the connection (for
example, VPN).
For additional protection you should do a combination of the above.
Depending on your Sidewinder G2’s configuration, FTP and Telnet
users will see one of two messages when a connection attempt is
denied by the Sidewinder G2. The type and meaning of these
messages are summarized below.

Troubleshooting
High Availability
Table F-5. Connection failure messages for Telnet
Message Possible Causes
telnet 192.55.214.24
Trying 192.55.214.24
Connected to 192.55.214.24
Escape character is ‘^]’.
Connection closed by foreign host.
telnet 192.55.214.24
telnet: Unable to connect to remote
host: Connection refused.
Note: Similar messages are displayed for failed FTP connections.
Troubleshooting High Availability
✔ Rule entry denied the connection
✔ Server is down
✔ No proxy enabled on port but the
Sidewinder G2 server is enabled
✔ Distinguishing IP addresses were used
but no match was found
✔ No proxy or Sidewinder G2 server
enabled on that port
✔ Default route is wrong on client
This section provides information to determine whether High
Availability is functioning properly.
Viewing configuration-specific information
The cf failover query command gives you configuration-specific
information, as shown in the following example:
failover set priority=255
multicast_group=239.192.0.1 \
heartbeat_burb=internal firewall_id=1 \
interface_test_time=30 ping_wait=0 load_sharing=off
interval_time=1 \ interface_test_failures=3
enabled=on
failover set password=pasword type=sha1
failover add address alias=10.10.1.22 \
remote=172.27.1.21 network=172.27.1.2
failover add address alias=10.10.10.12 \
remote=10.10.10.21 burb=internal
Basic Troubleshooting F-29

Troubleshooting High Availability
F-30 Basic Troubleshooting
Viewing status information
The cf failover status command gives you information on
whether or not HA is active, what state the system is in (primary or
secondary/standby), and useful statistical information.
Viewing status information for a primary
The following example shows sample results for a primary in a peerto-peer
HA configuration:
This system is operating as primary.
Failover is running in burb 3
IP alias 10.10.10.186 assigned to interface eb0
IP alias 192.168.222.186 assigned to interface exp1
IP alias 192.168.107.186 assigned to interface exp0
This system was configured as a standby with priority
245 for firewall ID 186.
Failover interface status:
Interface eb0 not monitored
Interface exp1 up
Interface exp0 not monitored
IP Filter tracking state as primary
Active firewall list:
10.10.10.7
Statistics for failover
Failover running since Wed Feb 2 15:04:48 2005
Failover allowing 3 seconds for interface swap
(default)

Troubleshooting High Availability
Number of advertisements sent = 210
Number of received advertisements = 0
Number of rcvd advertisements since primary = 0
Number of times this system has become primary = 1
Number of release messages received = 0
Number of release messages sent = 0
Number of failed takeover attempts = 0
Number of possible duplicate primary messages = 0
Number of heartbeat ack messages received = 0
Number of heartbeat ack messages sent = 0
Number of messages received with errors = 0
Number of same priority advertisements rcvd = 0
Number of pings received on interface eb0 = 0
Number of pings received on interface exp1 = 7
Number of pings received on interface exp0 = 0
Viewing status information for a secondary
The following example shows sample results for a secondary that is
configured for load sharing HA:
This system is operating in load sharing mode as
secondary.
This system is node 1.
The primary is node 0 (10.10.10.6).
Failover is running in burb 3
cluster heartbeat address 10.10.10.186 assigned to
interface eb0
shared cluster address 192.168.222.186 assigned to
interface exp1
shared cluster address 192.168.107.186 assigned to
interface exp0
Failover interface status:
Interface eb0 not monitored
Interface exp1 up
Interface exp0 not monitored
IP Filter tracking state as load sharing peer
Basic Troubleshooting F-31

Troubleshooting High Availability
F-32 Basic Troubleshooting
Active firewall list:
node address
0 10.10.10.6 (primary)
Statistics for failover
Failover running since Wed Feb 2 14:08:52 2005
Failover allowing 3 seconds for interface swap
(default)
Number of advertisements sent = 0
Number of received advertisements = 1404
Number of rcvd advertisements since primary = 1404
Number of times this system has become primary = 0
Number of release messages received = 0
Number of release messages sent = 0
Number of failed takeover attempts = 0
Number of possible duplicate primary messages = 0
Number of heartbeat ack messages received = 0
Number of heartbeat ack messages sent = 1404
Number of messages received with errors = 0
Number of same priority advertisements rcvd = 0
Number of pings received on interface eb0 = 0
Number of pings received on interface exp1 = 46
Number of pings received on interface exp0 = 0
Tip: The failover daemon is named faild. Enter the pss faild command to determine
whether the failover daemon is active.
Identifying load sharing addresses in netstat and ifconfig
Output for netstat -i queries will display load sharing addresses
with a plus (+) sign. The following example displays the results for
the netstat -i command with load sharing enabled.

Troubleshooting High Availability
Name Index MTU Speed Mtrc Burb Address Network
em0 1 1500 100M 0 external 00:0c:f1:c7:ba:ea
em0+ 1 0 external 172.27.1.22 172.27
em0 1 0 external 172.27.1.2 172.27
exp0 2 1500 100M 0 internal 00:a0:c9:9d:99:a1
exp0+ 2 0 internal 10.10.10.22 10.10.10/24
exp0 2 0 internal 10.10.10.2 10.10.10/24
eb0 3 1500 100M 0 heartbeat 00:10:5a:98:51:26
eb0 3 0 heartbeat 10.10.1.2 10.10.1/24
eb0 3 0 heartbeat 10.10.1.22 10.10.1/24
lo0 4 1500 0 Firewall
lo0 4 0 Firewall 127.0.0.1 127
lo0 4 0 external 127.1.0.1 127
lo0 4 0 internal 127.2.0.1 127
lo0 4 0 heartbeat 127.3.0.1 127
Output for ifconfig -a queries will display load sharing addresses
with the word shared. The following example displays the results for
the ifconfig -a command with load sharing enabled.
em0: flags=8843
link type ether 0:c:f1:c7:ba:ea mtu 1500 speed 100Mbps
media auto (100basetx full_duplex) status active
inet 172.27.1.22 netmask 255.255.0.0 broadcast 172.27.255.255
burb external, burb index 1 shared
inet 172.27.1.2 netmask 255.255.0.0 broadcast 172.27.255.255
burb external, burb index 1
exp0: flags=8843
link type ether 0:a0:c9:9d:99:a1 mtu 1500 speed 100Mbps
media auto (100basetx full_duplex) status active
inet 10.10.10.22 netmask 255.255.255.0 broadcast 10.10.10.255
burb internal, burb index 2 shared
inet 10.10.10.2 netmask 255.255.255.0 broadcast 10.10.10.255
burb internal, burb index 2
eb0: flags=8843
link type ether 0:10:5a:98:51:26 mtu 1500 speed 100Mbps
media auto (100basetx full_duplex) status active
inet 10.10.1.2 netmask 255.255.255.0 broadcast 10.10.1.255
burb heartbeat, burb index 3
inet 10.10.1.22 netmask 255.255.255.0 broadcast 10.10.1.255
burb heartbeat, burb index 3
lo0: flags=8009
link type loop mtu 1500
inet 172.0.0.1 netmask 255.0.0.0
burb Firewall, burb index 0
inet 172.1.0.1 netmask 255.0.0.0
burb external, burb index 1
inet 172.2.0.1 netmask 255.0.0.0
burb internal, burb index 2
inet 172.3.0.1 netmask 255.0.0.0
burb heartbeat, burb index 3
Basic Troubleshooting F-33

Troubleshooting NTP
Troubleshooting
NTP
F-34 Basic Troubleshooting
Interface configuration issues with HA
If you modify your interface configuration, your HA configuration will
not function until you update the HA Interfaces table (in the Admin
Console, select High Availability -> Common Parameters tab) to match
the modified interface configuration. When you are finished updating
the interface information, reboot the Sidewinder G2s.
Troubleshooting remote interface test failover for peerto-peer
HA
If you have a peer-to-peer HA cluster configured and the remote host
used for interface testing becomes unavailable, the primary will report
an interface failure (after the specified number of failed ping attempts
is reached) and failover will occur. When this happens, the new
primary will receive the interface failure status from the former
primary, and interface failure testing will be disabled. In this state, the
standby will take over for the primary only if the primary becomes
unavailable.
Once the remote host is restored, you will need to issue the cf
failover reset command on the standby, and then on the primary
to reset and re-enable the interface failover indicators.
If you have NTP properly configured and enabled, you should be able
to monitor NTP packets being sent/received on the appropriate
Sidewinder G2 interfaces. To do so, enter the following command:
tcpdump -npi ext_interface# port 123
where: ext_interface# is the external interface and number (for
example em0, em1, etc.)
NTP packets should be sent/received every 15-30 seconds.
To check the exact time, enter the date command and compare it to a
known good clock source (for example, www.time.gov).
Note: An NTP proxy and an NTP server cannot run in the same burb. Therefore, if you
have a proxy enabled and running in the same burb as the NTP server, the NTP server will
not start.

Why did NTP stop?
Troubleshooting NTP
NTP is designed to automatically quit whenever the client’s time
deviates from the server’s signal by more than 15 minutes. When a
deviation of this magnitude occurs, NTP writes a message to file
/var/log/messages before quitting.
To restart NTP, first set the Sidewinder G2’s clock manually (refer to
“Setting the system date and time” in Chapter 3) and then follow the
directions below for restarting NTP.
Why does NTP appear to be inaccurate?
You probably have fixclock running.
NTP clients will not synchronize with the Sidewinder G2
This may be because, when the Sidewinder G2 is configured as an
NTP server, it reports itself as a stratum 0 time server. Not all clients
can synchronize from a stratum 0 server. To change the stratum
setting, type the following command:
cf ntp add server burb=burbname ip=127.127.1.0
where: burbname = the burb that is serving time to the NTP clients.
If the Sidewinder G2 is serving time to clients in multiple burbs, and
one or more clients in each burb has a problem with stratum 0
servers, you must type this command once for each burb.
Restarting NTP from the UNIX prompt
If the NTP process stops, you can restart the NTP process by doing
the following:
1. At a Sidewinder G2 command prompt, log in and enter the following
command to switch to the Admn role:
srole
2. To start the NTP time server, enter the following command:
cf server restart ntp burb=burb
Basic Troubleshooting F-35

VPN troubleshooting commands
VPN
troubleshooting
commands
F-36 Basic Troubleshooting
3. [Optional] Verify the state of the NTP servers by entering the following
command:
cf server status ntp
In addition to standard logging, the Sidewinder G2 also performs
auditing of certain system events which allows you to generate
information on VPN connections. Table F-6 shows some useful
commands you can use to track VPN connections in real-time mode
and check VPN settings/configuration.
Table F-6. Basic Sidewinder G2 VPN troubleshooting commands
Commands
tcpdump -npi ext_interface port 500 or proto 50
To show IPSec and ESP traffic arriving at the Sidewinder G2.
cf ipsec q
To review VPN policies on the console.
cf ipsec policydump
To determine if VPN is active - the presence of SPI and transform numbers
indicates the secure connection is functioning.
showaudit -v
To show detailed audit trace information for VPN. To enable a more detailed
auditing level, in the Admin Console select VPN Configuration> ISAKMP
Server and change the audit level using the pull-down menu.

R EFERENCE
Glossary
ACE/Server A server made by Security Dynamics Incorporated that can be used to
authenticate users attempting connections through (or to) the Sidewinder
G2.
ACL (access control list) Another term for active rule group.
activation The process by which a customer’s licensed software becomes active.
activation key A string of numbers and characters that allows the operation of the
software.
active rule group A rule group, often made up of nested rule groups and rules, that is
loaded in to the Sidewinder G2 kernel and begins actively monitoring
traffic coming into and leaving the Sidewinder G2.
ActiveX Microsoft’s name for certain object-oriented programming technologies
and tools. ActiveX is often downloaded and executed on a local system
when browsing the Internet, and may require specific port restrictions.
Consult Microsoft’s documentation for more information.
Admin Console The graphic user interface (GUI) used to configure and manage the
Sidewinder G2. The Admin Console runs on Windows-based platforms.
Admin Console tree The hierarchical layout in the left–hand panel of the Admin Console.
Admn domain The physical and logical resources within the UNIX operating system that
has access to most of the other domains.
admin role The role is assigned to administrators authorized to work in the Admn
domain with full privileges. An administrator assigned the admin role can
use all menus and commands in the Admin Console. This includes adding
or removing users, backing up and restoring the system, and using all
other system functions and commands.
adminRO role The read–only role assigned to administrators authorized to access and
view, but not modify, information. The AdminRO role is essentially an
auditor role, allowing the administrator to view system and audit
information, as well as generate reports.
G
Glossary G-1

G
Glossary
G-2 Glossary
Administrative kernel A UNIX kernel that provides the environment needed to perform
administrative tasks such as installing software or running a system
backup. When the Administrative kernel is running, all network
connections are disabled and Internet services are not available; Type
Enforcement security is disabled. See also Operational kernel.
alarm event A Sidewinder G2 feature used to monitor your network for potentially
threatening activity, such as an attempted attack or an audit overflow.
When an alarm event is generated, an appropriate event response is
issued.
alias An arbitrary name that a system administrator can assign to a network
element. Aliases can typically be any combination of up to 16 characters
(without spaces).
API (application
program interface)
A stable, published software interface to an operating system or specific
software program by which a programmer writing a custom application
can make requests of the operating system or specific software program.
(An API provides an easy and standardized connection to a particular
software component.).
Application Defenses A feature that is incorporated in proxy rules to configure applicationspecific
properties for each proxy on a per-rule basis. Properties include
basic timeout properties and application-specific permissions, as well as
anti-virus, anti-spam, SSL decryption, and Web services management for
key proxies.
application-layer proxy Also known as an intelligent proxy. Application-layer proxies check
application-layer data as it comes into the Sidewinder G2. If the data is
compliant with that application’s standard, the Sidewinder G2 initiates a
new connection on its opposite side and passes on the data. If the data is
not compliant, the Sidewinder G2 drops the data.
auditing A method of collecting and storing information that can be used to track
system activity (for example authentication attempts, configuration
modifications, stopping and starting of services, etc.).
authentication A process that verifies the authenticity of a person or system before
allowing access to a network system or service.
authenticator A device or mechanism used to verify the identity of an individual logging
onto a network, application, or computer. Authenticators are also called
tokens.
BIND (Berkeley
Internet Name
Domain)
A standard program which implements the Domain Name Service (DNS).

Glossary
BSD/OS The operation system obtained from Wind River, Inc., and used as a base
for developing SecureOS. See also SecureOS
burb A set of one or more interfaces and the group of systems connected to
each interface that are to be treated the same from a system security
policy point of view.
certificate See digital certificate.
Certificate Authority
(CA)
CGI (common gateway
interface)
A highly trusted entity, that issues and revokes certificates for a set of
subjects, and is ultimately responsible for their authenticity.
Any server-side code that accepts data from forms via HTTP. The forms
are generally on Web pages and submitted by end users.
challenge A set of random numbers generated by the computer being accessed. The
numbers are entered into the authenticator, which then generates a
password. You can set some authenticators to generate a password in
response to a challenge.
cipher key In order for encryption to be unique, it uses a random set of characters,
called a cipher key. Encrypting data using two different keys will produce
two completely different results. All authenticators contain at least one
key that they use to generate passwords.
circuit proxy See network-layer proxy.
client A program or user that requests network service(s) from a server.
Configuration Wizard A Windows-based program that allows you to create an initial
configuration for your Sidewinder G2 or G2 Enterprise Manager.
daemon A software routine within UNIX that runs in the background, performing
system-wide functions.
daemond (Pronounced daimon-dee) A powerful Sidewinder G2 component process
that enhances overall security by monitoring and controlling all of the
Sidewinder G2’s major software components. It also detects and audits
some classes of attacks against the Sidewinder G2.
dark data center A term used to describe a data process facility where all machines are
designed to be managed remotely. This type of facility maximizes storage
space by rack-mounting computers and minimizes overhead costs by not
needing lights. Machines stored in a dark data center ideally require
minimal physical human interaction.
Glossary G-3

Glossary
G-4 Glossary
digital certificate A data structure that is digitally signed by a CA, or a signature source that
users can trust. The certificate contains a series of values, such as the
certificate name and usage, information identifying the owner of the
public key, the public key itself, an expiration date, and the name of the
CA that generated the certificate.
DMZ (demilitarized
zone)
DNS (domain name
system)
A network buffer zone that generally hosts services that require
interaction with Internet traffic, while still protecting internal systems. On
Sidewinder, the DMZ is generally a burb for hosting Web servers and
other hosts that receiving large volumes of external, untrusted traffic.
A TCP/IP service that maps domain and host names to IP addresses, IP
addresses to domain and host names, and provides information about
services and points of contact in a network or the Internet. A set of
connected name servers and resolvers allows users to use a host name
rather a 32-bit Internet address.
domain (1) Relative to networking, the portion of an Internet address that denotes
the name of a computer network. For instance, in the IP address
jones@bizco.sales.com, the domain is bizco.sales.com.
(2) Relative to Type Enforcement, an attribute applied to a process
running on SecureOS that determines which system operation the process
may perform.
DoS (denial of service) Event in which a network experiences a loss of a service, like e-mail or a
Web server, that is expected to be available. This event is generally
caused by a malicious attack, but may also happen accidentally.
DSS (defender security
server)
A server made by AssureNet Pathways that can be used to authenticate
users attempting connections through (or to) the Sidewinder G2. See also
SecureNet Key (SNK).
dynamic password The unique one–time response to a log in challenge or special code
presented by an authentication server. Each password is obtained using a
software or hardware authenticator that communicates with a password
generator.
editor A program that can be used to create or modify text files. See also file
editor.
encryption Data encryption uses a secret code to scramble information so that it can
be read only by computers using the same code or encryption
technology. While encryption reduces the risk of unauthorized access, it
does not create a totally safe networking environment on its own.
end user See user.

Glossary
event response A response to an alarm event that includes notifying the administrator
and/or performing a Strikeback.
extended
authentication
(XAUTH)
An extension of the IKE protocol. It provides a mechanism to employ an
administrator–selected authentication mechanism in addition to the
existing IKE authentication (that is, in addition to certificate based or preshared
key authentication). It initiates after the existing IKE authentication
mechanism is successful. XAUTH enables use of strong authentication
(sometimes referred to as legacy authentication) in VPN configurations.
external DNS External DNS provides a limited external view of the organizational
domain. No internal information is available to the external DNS and only
the external DNS can communicate with the outside. Therefore, no
internal naming information can be obtained by anyone on the outside.
The external DNS cannot query the internal DNS or any other DNS server
inside the Sidewinder G2.
failover See high availability.
failure mode See safe mode.
File Editor The program available directly in the Admin Console that can be used to
create or modify text files. The File Editor communicates with the
Sidewinder G2 using a secured connection.
firewall A network component that filters traffic between a designated “protected
network” and external networks. A firewall ensures that the protected
network is safe from unauthorized entry and file manipulation.
firewall ID The MAC address by which you choose to identify your Sidewinder G2.
The firewall ID is used when activating your Sidewinder G2.
fixed password A string of characters of varying lengths and composition (text and/or
numerics) used to identify a user attempting to access a service. Fixed
passwords remain unchanged unless given a finite life span. Fixed
passwords are also known as memorized passwords.
FTP (file transfer
protocol)
A protocol used on the Internet for transferring files.
FTP site An Internet site that hosts directories and files that you can browse and
copy to your system using the file transfer protocol (FTP).
gateway A network component used to connect two or more networks that may
use dissimilar protocols and data transmission media.
generic proxy An administrator–configured Sidewinder G2 proxy that is not part of the
Sidewinder G2’s preconfigured proxies.
Glossary G-5

Glossary
G-6 Glossary
group Logical groupings of two or more users, identified by a single name. See
rule groups, user groups.
hardware acceleration A licensed feature that improves throughput for system performance
when processing traffic. This feature consists of both hardware and
software elements.
hardware
authenticator
Also referred to as tokens. Hardware authenticators are hand-held devices
that use an internally held cryptographic variable to generate a dynamic
(single-use) passcode.
high availability A licensed feature that allows a second Sidewinder G2 to be configured
either in a load sharing capacity or in "hot backup" mode.
host Any computer connected to a network; for example, a workstation,
router, Sidewinder G2, or server.
HTML (hypertext
markup language)
HTTP (hypertext
transfer protocol)
HTTPS (hypertext
transfer protocolsecure)
ICANN (Internet
Corporation for
Assigned Names and
Numbers)
IETF (Internet
Engineering Task
Force)
IKE (Internet key
exchange)
A simple programming language used to create Web documents.
Hypertext uses special links that you can click to jump from one related
topic to another.
An agreed-upon format (protocol) that requests and transfers HTML
documents on the World Wide Web.
An agreed-upon format (protocol) that requests and transfers HTML
documents on the World Wide Web in a secured manner.
A U.S. non-profit organization designated to allocate IP address space,
assign protocol parameters, perform domain name system management,
and maintain root server systems. Other domain registration companies
are available.
The organization that developed the IPSec standard which protects data
on unprotected (or untrusted) networks such as the Internet.
A key management protocol standard which automates the
implementations of other protocols (ISAKMP, Oakley, etc.) used in a VPN
connection.
interface A shared boundary through which information can be exchanged. (An
interface may be a shared portion of computer software accessed by two
or more programs, a hardware component linking two devices, or a
device or program allowing a user to communicate and use the computer
or program.)

Glossary
internal DNS Manages DNS information only available to internal machines. The
internal name server cannot receive queries from external hosts since it
cannot communicate directly with the external network. Resolution of
external DNS information both for the Sidewinder G2 itself and to handle
internal queries for external information are handled by the internal name
server. Although it is unable to communicate directly with external hosts,
it is able to send queries and receive the responses via the external DNS.
IP address A 32- bit address that uses standard dotted quad notation assigned to
TCP/IP network devices. An IP address is unique to each machine on the
Internet. An IP address contains a network and host field.
IP Filter Provides the ability to specify rules to allow IP-based traffic to flow
through the Sidewinder G2 at the network layer. For example, traffic may
pass through the Sidewinder G2 without being passed to the application
proxies. IP Filter can be used for tracking TCP session states, and is
sometime referred to as "stateful inspection."
IPSec (Internet
Protocol Security)
ISAKMP (internet
security association
and key management
protocol)
ISP (Internet Service
Provider)
A set of standards created to provide data integrity and confidentiality at
the IP layer of the network stack.
A protocol framework which sets the parameters for a VPN connection by
defining the payload format, how the key exchange protocol will be
implemented, and how the security association will be negotiated.
A company that provides individuals and other companies access to the
Internet and other related services such as Web site building and virtual
hosting. An ISP has the equipment and the telecommunication line access
required to have a point-of-presence (POP) on the Internet for the
geographic area served.
kernel Manages all physical resources, including scheduling of processes, virtual
memory, file system management, reading and writing files to disk or
tape, printing, and network communications. The Sidewinder G2 is run in
one of two kernels: the operational kernel or the administrative kernel.
key pair The reference to a private key and a mathematically-related public key.
The private key is safeguarded by the owner, and known only to them.
The public key can be distributed to anyone. This allows one key to be
used for encryption, and the other key to be used for decryption.
key pair generation The process of generating mathematically-related public/private key pairs.
LDAP Lightweight Directory Access Protocol. An internet standard for directory
services that run over TCP/IP.
Glossary G-7

Glossary
G-8 Glossary
login ID When used in conjunction with a password, a means of authentication to
start a session with a computer system.
MAC (media access
control)
A unique address assigned to network interface card hardware as a means
of identification. Sidewinder G2 licenses are locked to a MAC address on
the Sidewinder G2.
mail server A network computer that serves as an intermediate station for electronic
mail transfers.
man page Short for manual page, refers to the online help that is available within
the UNIX operating system. For example, entering man ls at the UNIX
prompt displays a description of the UNIX ls command.
MAT (multiple address
translation)
MIB (management
information base)
MIME (Multi-purpose
Internet Mail
Exchange)
MX (mail exchanger)
records
The ability for a single Sidewinder G2 interface to support multiple
external IP addresses so that inbound connections can be directed based
on IP addresses and service. MAT allows proxies to be directed to
different destinations for the same service by the IP address to which it
was connected.
Within SNMP architecture, a database that stores information about
managed objects. These objects are used in the management of networks.
Allows a mail client or Web browser to send and receive non-textual
information, such as graphics, audio, video, and spreadsheets.
Entries in DNS that define where e-mail addresses within domain names
get delivered.
name resolution The process in which name servers supply address and hostname
information to hosts.
name server A network computer that maintains a relationship between IP addresses
and corresponding domain names.
NAS (Network Access
server)
NAT (network address
translation)
A computer that is specially made to receive communications from
outside an organization and distribute them within the organization on its
network. It uses TACACS +, RADIUS, or other protocols for authorization
and sometimes for accounting.
The ability of the Sidewinder G2 to rewrite the source address of a packet
to a new IP address specified by the administrator.
nested rule group A nested rule group is a rule group that you place within another rule
group.

Glossary
network-layer proxy Also known as a circuit proxy. Network-layer proxies check data at the
transport and session (TCP/IP) layers to verify that the data packet
complies with expected standards.
NIC (network interface
card)
NNTP (network news
transport protocol)
Hardware, like a computer circuit board, that contains a port or a jack that
enables a computer to connect to network wiring (ethernet cable, phone
line, etc.).
The protocol by which network news articles are transferred or read
across the Internet.
node (1) Any network device such as a workstation or server.
(2) The connection point for devices in a network.
non-anonymous FTP An FTP site that can only be accessed by individuals who enter a valid
user name and password.
nslookup (name server
lookup)
NSS (network service
sentry)
NTP (network time
protocol)
A UNIX command that allows you to interactively query a DNS server and
ensure the name server is properly resolving host names and IP
addresses.
Manages servers and proxy services on the Sidewinder G2.
A protocol that provides a way to synchronize all clocks on a network, or
to synchronize the clocks on one network with those on another
network.
object Generally an item that you can individually select and manipulate,
including shapes and pictures that appear on a display screen, as well as
less tangible software entities.
ODBC (Open Database
Connectivity)
A widely accepted application programming interface (API) for database
access. It is based on the Call-Level Interface (CLI) from X/Open and ISO/
IEC for database APIs and uses Structured Query Language (SQL) as its
database access language.
off-line State of a computer when it is not connected to another device.
on-line State of a computer when it is connected to another device.
operational kernel The Sidewinder G2 SecureOS kernel that provides the normal operating
state, including Type Enforcement controls. When this kernel is running,
the Sidewinder G2 can connect to both the Internet and the internal
network, and all configured services are operational.
OS (Operating System) The master control program that keeps everything flowing smoothly
inside your computer.
Glossary G-9

Glossary
G-10 Glossary
OSPF (Open Shortest
Path First)
A routing protocol that dynamically updates changes to routing table
information. This protocol is an enhancement over previous protocols
that required entire tables to be updated instead of changed data only.
packet filtering Packet filters allow network administrators to limit a user's access to
specific services on the network. For example, a user may be allowed to
send electronic mail, but not copy data files from the network. Packet
filtering on the communications server analyzes each message being sent
from a remote client. The filter can determine the computer and service
the user is attempting to reach and either permit or deny access to that
service.
password The most common form of authentication security. Some networks
require multiple levels of passwords to gain access to various servers or
databases. Passwords become weak links when they are shared among
colleagues, stolen, written down or created in such a way that they can be
easily guessed.
PIN (Personal
Identification Number)
A number known only by an individual for the purpose of helping
identify a person during a computer-based authentication process. PINs
should be memorized by the individual.
ping A command that sends an ICMP message from a host to another host over
a network to test connectivity and packet loss.
PKI Public Key Infrastructure. A PKI is a system for distributing public
cryptographic keys within a community of interested users. The
predominant model (based on X.509) makes use of digital certificates
generated by certificate authorities. A PKI enables secure remote
communication in a number of network application areas.
port The number that identifies the destination application process for
transmitted data. Port numbers range from 1 to 65535. (For example,
Telnet typically uses port 23, DNS uses 53, etc.)
primary name server The DNS server for a domain where the name information is stored and
maintained.
private key The private key is used to decrypt messages that were encrypted with the
corresponding public key. A private key can also be used to digitally sign
messages. The recipient can use the corresponding public key to verify
the authenticity of the message.
protocol A set of rules by which one entity communicates with another, especially
over a network. This is important when defining rules by which clients
and servers talk to each other over a network. Important protocols
become published, standardized, and widespread.

Glossary
proxy A software agent that acts on behalf of a user requesting a network
connection through the Sidewinder G2. Proxies accept a connection from
a user, make a decision as to whether or not the user or client IP address
is permitted to use the proxy, optionally does additional authentication,
and then completes a connection on behalf of the user to a remote
destination.
proxy server A server that acts on behalf of another server, and may perform tasks such
as caching, access control, or provide a route to a destination server.
Administrators may choose to configure proxy servers as transparent,
meaning the end user is unaware of the proxy server’s presence, or nontransparent,
meaning the end user must authenticate to, or interact with,
the server.
public key A public key is used to encrypt messages that only the holder of the
corresponding private key can decrypt. Public keys can also be used to
verify the authenticity of digitally-signed documents.
public key
cryptography
A class of cryptographic methods that employ a pair of keys for
encrypting and decrypting messages. A message encrypted with the
public key can only be decrypted with the corresponding private key.
Within a public key cryptography system, the public key may be made
public without compromising the encrypted data. Public key
cryptography enables encryption and digital signatures, and simplifies
cryptographic key distribution through the use of a public key
infrastructure.
RADIUS Remote Authentication Dial-In User Service. An authentication protocol
developed by Livingston Enterprises Inc. Recognized by the Internet
Engineering Task Force (IETF) as a dial-in security solution on the
Internet.(RFC 2138).
RAID (redundant array
of individual disks)
Stores information on multiple hard disks to provide redundancy. Using
RAID can improve performance and fault-tolerance.
redirected proxy A Sidewinder G2 proxy option that reroutes a connection to a specific
host system, hiding the actual destination address or port from the system
requesting the connection.
reference
implementation
An IETF term. It is the particular implementation of the protocol or
standard that is referred to and used in the associated RFC.
registration The process of authenticating one Sidewinder G2 to an HA cluster or
One-To-Many cluster. This process establishes an encrypted, trusted
connection between the two systems.
remote management The ability to administer a system from a remote location.
Glossary G-11

Glossary
G-12 Glossary
RFC (Request for
Comments)
RIP (Routing
Information Protocol)
One of a series of documents recognized by the Internet Engineering
Task Force (IETF). Most RFCs document protocol specifications and
standards.
A protocol that updates routing tables.
role A login mode used for administrating the Sidewinder G2. The Sidewinder
G2 separates administrator access into two roles: admin (write privileges)
or adminro (read-only privileges).
root In UNIX, a user name that gives special privileges to a person who logs
onto the system using that name and the correct password. The root user
name allows the user to have access to all of the systems files. The
Sidewinder G2 does not allow root privileges.
root servers The highest level DNS servers.
router A network device that forwards data between two or more networks,
delivering them to their final destination or to another router.
rule A rule is a mini policy which contains criteria that is used to inspect
incoming or outgoing traffic. Rules determine whether that traffic will be
allowed to continue to its destination. There are two distinct rules types
that you can configure on the Sidewinder G2: proxy rules and IP Filter
rules.
rule group An organized set of rules. A rule group can consist of both rules and
nested rule groups.
safe mode Also known as failure mode, a Sidewinder G2 operating state that allows
system administration while not allowing network traffic to pass through.
A Sidewinder G2 can enter this mode under conditions that include: (a)
after a failed license check, (b) after a reboot during which the system
detects a problem with an installed patch, (c) after a reboot during which
the system failed to start a critical service, or (d) after the audit partition
has overflowed.
secondary name server DNS servers that download and record a backup copy of domain
information from a primary DNS server.
SecurID token A small hand-held device used to calculate the proper response during a
login attempt.
SecureNet Key (SNK) A strong authentication system made by Digital Pathways Incorporated.

Glossary
SecureOS The UNIX-based operating system used in a Sidewinder G2 system.
SecureOS is built upon BSD/OS and includes Type Enforcement security
mechanisms.
session The time period during which a terminal user logs on the system until
they log off the system.
server A computer system that provides services (such as FTP) to a network, or a
program running on a host that offers a service to other hosts on a
network.
SMTP (simple mail
transport protocol)
SNMP (simple network
management protocol)
The TCP/IP protocol that transfers e-mail as it moves through the system.
The industry standard protocol used for network management.
SNMP agent A server that communicates with SNMP management stations to provide
information and status for a network node.
SOA (Start of
Authority)
A record found in every DNS zone that contains information about which
DNS server is the primary name server, in addition to other administrative
information about the zone.
srole A Sidewinder G2 UNIX command used to change to a different domain
(User, Admn, or AdmRO).
SSO (single sign-on) The ability of a user to authenticate once and then have access to
protected content on sites in multiple internet domains.
standalone Refers to a device or software program that is self-contained; one that
does not require any other device or software program to function.
standard password
authentication
A UNIX mechanism that requires someone logging into a network server
to enter a password in order to prove they have a valid login account.
stateful inspection Method of checking a data packet’s source and destination. The
information is recorded in a dynamic state table. New packets from the
same session are checking against the table to ensure that they are valid.
Invalid packets are dropped.
Strikeback® A Sidewinder G2 feature that can be configured to gather information
about detected network access violations, or ignore packets from a
particular host for a specified period of time.
Glossary G-13

Glossary
G-14 Glossary
strong authentication A login process that requires a user to enter a unique, one-time response
to a login challenge or special code presented by an authentication
server. The authentication server resides somewhere in the internal
network and sends a log in challenge to a user when he or she attempts
to log in. The user must make the proper response to the challenge using
a special hardware or software token.
subnet A network addressing scheme that separates a single network into a
number of smaller physical networks to simplify routing.
syntax Refers to the spelling and grammar of a programming language.
Computers are inflexible machines that only understand what you type if
you type it in the exact form (syntax) that the computer expects.
TCP/IP (transmission
control protocol/
internet protocol
A networking protocol suite created for use in the Internet.
Telnet A TCP/IP protocol that directs the exchange of character-oriented data
during a client-to-server session.
token A small hand-held hardware device or client software used to generate a
one-time passcode or password. See hardware authenticator.
traceroute A UNIX command that shows all of the routing steps between a host and
another host.
trap An SNMP alert message sent as an unsolicited transmission of information
from a managed node (router, Sidewinder G2, etc.) to an SNMP
management station.
Type Enforcement® Secure Computing’s patented security technology that protects against
intruders by preventing someone from taking over the UNIX operating
system within Sidewinder G2 and accessing critical files or doing other
damage.
UAP User Authentication Points.
UDP (user datagram
protocol)
A connectionless protocol that transfers data across a network with no
reliability checking or error checking.
UNIX A powerful operating system used in high-end workstations and
computer systems on the Internet. It allows a single computer to operate
multiple programs and be accessed by other computers, all at the same
time.

URL (universal
resource locator)
Glossary
Provides the address of specific documents on the Web. Every Internet
file has a unique URL; they indicate the name of the server, the directory,
and the specific document. The form of a URL is protocol://pathname. For
example, ftp://www.website.com; http://www.website.com.
user (end user) A collection of specific data elements that identify the user to the system,
define the resources to which they have access, the administrative group
to which they belong, and their role within a network structure.
user domain The domain that allows access to all nonsensitive files.
user groups A logical grouping of two or more users, identified by a single name.
VPN (virtual private
network)
A method of authenticating and encrypting data transmissions between
the machines (Sidewinder G2-to-Sidewinder G2, Sidewinder G2-to-client)
via the Internet. VPN makes it appear as though the networks on the
internal side of the Sidewinder G2s are connected to each other via a pair
of routers with a leased line between them.
VPN tunnel A secure route via the Internet between two machines (Sidewinder G2-to-
Sidewinder G2, Sidewinder G2-to-client, etc.) that use authentication and
encryption to transfer data.
warder A Sidewinder G2 server that provides an interface between the proxy
software and the various authentication services.
weak authentication A login process that merely requires a user to enter the same password
each time he or she logs in. The “standard” UNIX password process is
considered a weak authentication method. If someone “sniffs” the
password off the phone line or network as it is transmitted they can
conceivably use that password to then break into the system. Because
your internal network is thought to be “trusted,” this type of
authentication is generally used for authenticating internal-to-external
proxy connections.
TCP/IP (transmission
control protocol/
internet protocol
UDP (User Datagram
Protocol)
A networking protocol suite created for use in the Internet.
A connectionless protocol that transfers data across a network, with only
limited reliability checking or error checking.
Web farm A group of computers that host multiple Web servers for one Web site or
a group of Web sites belonging to the same company. Load balancing is
often used to distribute traffic among the servers to handle shifts in
demand.
XAUTH An abbreviation of Extended Authentication.
Glossary G-15

Glossary
G-16 Glossary

A
R EFERENCE
Index
A record (address record) 10-23, 10-26
acat_acls F-26
accept certificate 2-6
access control
report 18-28
access rules
DNS rules 4-27, 4-28
account
administrator 3-5
changing password 3-9
ACE/Server 9-8
ACL
monitoring tool F-26
rule checking 11-8
sort 18-26
activation process 3-19
active network connections report 17-22
activity reports 18-30
adding
disk space F-14
hardware F-14
host 2-4
memory F-14
address
pools 13-18
redirection 7-6, 8-6
Admin Console 2-2
administration options 2-2
configuring user groups 5-3
exit 2-9
File Editor 2-12
file editor 11-8
logging in 2-5
main window 2-8
management 3-56
setting system date and time 3-9
tips when using 2-11
valid port values 1-16
admin role
file access 1-8
tasks 3-5
administration
remote via SSH 2-17
remote via telnet 2-24
Administration Services Only
proxy rules 4-25
administration tool 2-2
administrative kernel 1-4, 1-8
authentication F-3
backups F-6
booting to F-2
checking if you’re in 3-11
clear authentication lockout F-21
features 1-5
when to use 3-2
administrator
account 3-5
authentication 9-3
cautions when editing UNIX files A-11
adminro role
tasks 3-5
Admn domain 1-8
alarm event
ignore network probe attempts 17-17
alarm events
auditing 17-13
configuration window 17-2
event responses 17-8
example scenario 17-13
filter types 17-14
list 17-2
algorithms with VPN 13-63
In
Index In-1

In
Index
In-2 Index
alias
IP addresses 3-52, 4-34
mail 11-22, 11-26
root 11-26
allow-query option 10-16
allow-transfer option 10-16, 10-20
allow-update option 10-20
Anit-spam
whitelist 11-13
anonymous ftp 14-11
Anti-spam filtering
advanced 11-13
Anti-virus filtering
for Mail 6-26
for Web 6-13
aol proxy 8-9
Application Defenses 6-1
Citrix 6-31
FTP 6-33
groups 6-46
Mail 6-21
Multimedia 6-36
Oracle 6-38
Secure Web 6-4
SNMP 6-42
SOCKS 6-41
standard 6-45
Web 6-4
Web Cache 6-19
audit 18-5
*.gz files 18-6
*.raw files 18-6
alarm event notification 17-13
alarm events 17-13
configuring 17-1
editing configuration files 17-12
event type numbers 17-14
events 18-6
exporting data 18-11
overview 18-5
probe attempts 18-28
root accesses 18-28
sample message 18-19
sending SNMP traps 14-4
sending to syslog 18-22
SNMP traps 14-4
Strikeback 17-14
Strikeback commands 17-11
understanding messages 18-19
viewing 18-7
viewing messages 18-19
audit.raw file 10-36, 18-5
audit_filters.conf file 18-5
auditbot
process 17-2, 18-5
auditbotd.conf file 17-2
auditd.conf file 18-5
authentication
administrative kernel F-3
administrators 9-3, 9-33
authenticators 9-4
clear locks F-21
defined 13-3
enable/disable in admin kernel F-
20
failure lockout 9-13
in proxy rules 4-19
LDAP 9-16
methods 9-5
overview 9-9
password 9-6, 9-18
proxies 9-2
RADIUS 9-8, 9-19
SafeWord PremierAccess 9-6, 9-
21
SafeWord RemoteAccess 9-6
SecurID 9-8
SNK 9-8, 9-24
SNMP message header 14-3
SSH login 2-18
SSO 9-27
strong 9-3
summary 9-1
user groups 4-8
warder 9-9
weak 9-3
Web session authentication 9-32
Windows Domain 9-8, 9-26
with VPN 13-3
authenticators 9-4
B
backup

ackup_file_list 3-15
complete (full) F-5
configuration files 3-13
contents 3-15
example F-7
file types F-4
in administrative kernel F-5
incremental F-6
levels F-5
overview F-4
restore F-8
backup configuration files
via command line F-14
beep patterns F-21
bibliography xiii
binary characters 6-26
BIND 10-4
blackhole list 11-22, 11-24
boot process
failure F-16
boot prompt F-2
boot.default file 3-58
booting 3-2
broadcast address 13-25, D-15
browser 12-6, 12-10, 12-19
caching 12-11, 12-15
download MIB files 14-11
Internet Explorer 12-21
Netscape 12-21
SmartFilter compatible 6-21
BSD/OS 1-4
burb 1-9
configuring 3-48
Internet 3-49
C
caching
configuring 12-15
Web pages 12-11
WebProxy server 8-18, 12-15
category codes (SmartFilter) E-10
category names (SmartFilter) E-10
Caution tag xiv
certificate accept window 2-6
Certificate Authority (CA)
checking 13-38, 13-41
Index
defined 13-6
definition 13-27
public versus private 13-31
certificate management daemon 13-14
certificate server 13-13
certificates
configuring 13-37, 13-40
defined 13-27
cf command A-1
command syntax A-2
displaying the man page listing A-2
overview A-1
summary A-1
change password server 9-34
changepw_form proxy 8-9, 9-35
changing admin password 3-9
check-names option 10-15, 10-19
chtype command 11-20, A-13
Citrix proxy (ica) 8-10
client address pools 13-18
clientless VPN 8-18, 12-3
cluster
high availability 16-1
one-to-many 15-1
clustering
see One-To-Many 15-1
CMD server 13-14
CNAME record 10-27
command line interface 2-2
community names 14-3
config.txt
SmartFilter E-8
config.txt file
SmartFilter E-7
configuration
auditing 17-1
auditing files 17-12
DNS 10-5, 10-9
files 3-13, A-11
interface 3-50
mail 11-12
mail host 11-6
OSPF C-6
Strikeback 17-1
Configuration Wizard
diskette F-17, F-22
configurator (cf) command A-1
Index In-3

Index
In-4 Index
configuring
network objects 5-10
user groups 5-3
connection service type 4-18
control list
category codes (SmartFilter) E-10
for Web access E-1
SmartFilter E-1
control list (SmartFilter)
category names (SmartFilter) E-10
control list for Web access 12-14
CPU
time by process 17-20
CRL 13-33
cron scripts A-15
D
daemond 1-12
daily system activity report 18-30
date (setting) 3-9
decryption 13-4
default
route 3-54
default proxy rules 4-21
deleting
roles 3-7
destination burb 4-18, 7-6
destination network object 4-18
dig command 17-11, 17-14, 17-24
directory type
checking A-12
disable
multi-processor mode 3-57
servers 3-30
discard
netprobes 17-17
disk space F-14
diskette
Configuration Wizard F-17, F-18, F-
22
Distinguished Names 13-35
DNS 10-1
A record (address record) 10-23, 10-
26, 10-27
access rules 4-27, 4-28
advanced server options 10-15
advanced zone options 10-19
BIND 10-4
CNAME record 10-27
configuration 10-5, 10-9, 10-11
configuration utility 10-29
disabling servers 10-7
editing configuration files 10-9
enabling servers 10-7
file types 10-36
files 10-4
forward zones 10-18
forwarders 10-13
HINFO 10-27, 10-28
hosts 10-25
if turned off 10-7
logging 10-36
mail exchanger records 10-24
master zone 10-18
master zone attributes 10-20
master zone contents 10-25
MX record 10-4, 10-27, 10-28
name servers table 10-24
proxy 8-9
query 10-4
reconfigure 10-29
reverse zones 10-18
serial number 10-22
servers for VPNs 13-23
Sidewinder Hosted 10-2
Sidewinder hosted 10-11
slave zone 10-18
SOA record 10-21
split DNS mode 10-7, 10-8
sub-domain 10-23
transparent 10-2, 10-9
TTL value 10-22
zone 10-16
do.dump script F-5, F-9
do.restore script F-11
documentation xii
domain definition table 1-5, 1-8
domain name 4-18
domain object 4-10
configuring 5-12
domains
access 1-7
Admn 1-8

checking 3-12
creator A-12
current 3-12
defined 1-6
file access 1-8
for processes 17-20
in operational vs. admin kernels 1-5
mail 11-2, 11-3, 11-6
DSS 9-8, 9-24
dynamic IP addressing
Adding a new VPN 13-55
dynamic routing C-1
E
editing UNIX files A-11
editors
Admin Console File Editor 2-12
changing default A-10
emacs A-10
vi A-10
emacs editor
commands A-10
using A-10
enable
automated package install 3-46
multi-processor mode 3-57
periodic patch imports 3-44
servers 3-30
encryption 13-4
defined 13-3
for external-to-internal proxy 8-3
with VPN 13-3
errors F-21
etc/crontab A-15
etc/daily script 18-30
etc/login.conf 1-13
etc/monthly script 18-30
etc/resolv.conf file 10-6
etc/server.conf 1-13
etc/sidewinder/daemond.conf 1-13
etc/syslog.conf file 18-22
etc/weekly script 18-30
event responses 17-8
e-mail 17-10
pager 17-10
strikeback 17-11
exclude_file_list file 3-15
executables
installing 1-8
exiting roles 3-12
export
audit data 18-11
Extended Authentication 13-8
F
failed connection request
proxy rules F-24
failover
see high availability 16-1
failure lockout
authentication 9-13
failure mode F-23
see safe mode 1-13
fast path sessions 6-49
file editor
Admin Console 11-8
file permissions A-12
file type
.forward files 11-20
checking A-12
DNS files 10-36
when backing up F-4
when restoring F-4
files
backing up F-4
configuration A-11
restoring F-11
rotating A-15
filesystems
restoring F-11
filtering
mail 6-22
Web 6-13
finger command 17-11
finger proxy 8-9
firewall
monitoring 18-3
firewall certificate 13-37
firewall license 3-19
fixed IP 13-25
forward files 11-5, 11-20
forward zones 10-18
Index
Index In-5

Index
In-6 Index
fsck command F-16
ftp
no connection 8-17
proxy 8-9
ftp proxy 8-17
G
gated C-4
gopher proxy 8-9
groups
Application Defense 6-46
network 4-7, 5-19
user 4-7, 4-8
H
H.323 proxy 8-9
considerations 8-22
HA
see high availability 16-1
halt command 3-4
hardware
adding F-14
hardware acceleration
VPN 13-7
hardware authenticator 9-4
hardware platform 1-2
header stripping 11-22
heartbeat 16-3, 16-4, 16-5
help (online) xiii
high availability 16-1
configuration options 16-3
configuring 16-6
heartbeat 16-3, 16-4, 16-5
load sharing 16-3
peer-to-peer 16-8
primary-secondary 16-5
HINFO 10-27, 10-28
Host Enrollment List 3-27
host name 4-18
firewall 2-25
host object 4-10
configuring 5-13
hosted DNS
on firewall 10-11
single 10-3
split server 10-3
hosts
DNS 10-25
HTTP
proxy 8-9, 12-4
HTTPS
proxy 8-10, 12-4
I
ica proxy 8-10
ICMP 3-49, 8-11
ident proxy 8-10
IDS
server configuration 3-39
IETF 13-3
IIOP
Application Defense 4-16, 6-34
proxy 8-10
IKE 13-1, 13-5
imap proxy 8-10
Important tag xiv
importing
SecureClient certificates 13-48
in-addr-arpa 10-18
inbound proxy 8-2
incremental backup F-6
inetd 1-16
installation
executables 1-8
failed patch F-23
reinstalling software F-8
installing patches 3-45
interface configuration 3-50
interfaces report 17-23
Internet
hosts (connection information) 18-26,
18-27
Internet Explorer
browser 12-21
Internet Key Exchange 13-5
Internet server 10-7
IP address object 4-10
configuring 5-15
IP Filter 4-28
deny rules 17-17

overview 1-12
IP sniffing 1-2
IP spoofing 1-2
IPSec
defined 13-3
irc proxy 8-10
ISAKMP server 13-11
K
kernels
defined 1-4
determining current 3-11
differences 1-5
keys (VPN)
defined 13-4
encryption and decryption 13-4
generating 13-5
L
LDAP 13-13, 13-48
LDAP authentication 9-16
level0.backup script F-5
license
Host Enrollment List 3-27
how to 3-19
load sharing HA 16-3
loading patches 3-43
lockout
authentication failure 9-13
log in
Admin Console 2-5
logcheck 18-5
logging 18-21
backups F-5
DNS 10-36
loopback address 10-17
lotus proxy 8-10
ls -dy command A-12
ls -y command A-12
M
m4 macros 11-10
mail
Index
.forward files 11-5, 11-20
aliases 11-26
configuration 11-7, 11-10
domains 11-2, 11-3, 11-6
internal host 11-2
internal server 11-2
local delivery 11-5
local server 11-2
mailertables 11-12
postmaster 11-6
program mailers 11-5
reconfiguring 11-9
redirecting 11-26
servers 11-6
setup 11-6
SMTP 11-2
SNMP hosted 11-2
transparent SMTP 11-1
Type Enforcement restrictions 11-5
mail exchanger records 10-4, 10-21, 10-
23, 10-24
mail filtering
anti-spam filter 6-23
anti-spam filter configuration 11-13
keyword search filter 6-22
MIME/Anti-Virus filter 6-22
size filter 6-22, 6-23
mail host 11-2, 11-6
configuring 11-6
mail queues 11-5, 11-28
checking 11-27
mail.local program 11-3
mailertable files 11-12
maintenance A-15
maintenance mode
enable/disable authentication in F-20
management information base (MIB) 14-
3
manuals xii
master zone 10-18
attributes 10-20
contents (DNS) 10-25
maximum segment size (MSS) 8-33
membership
user groups 5-8
memory F-14
messages
Index In-7

Index
In-8 Index
audit 18-19
DNS 10-36
in mail queues 11-27
log 18-21
postmaster 11-6
system reboot F-17
methods used to authenticate users 9-5
MIME filtering
for mail 6-26
for Web 6-13
mode
safe 1-13
modem 17-10, 17-13
modify 3-50
monitoring
Sidewinder G2 18-3
Monitoring tool (ACLs) F-26
monthly system activity report 18-30
mp.config file 3-58
msn proxy 8-10
MSS (maximum segment size) 8-33
mssql proxy 8-10
mta domain 11-3
mta0 domain 11-6
mta1 domain 11-6
mtac domain 11-2, 11-6
Multicast Group Address 16-21
Multiple Address Translation (MAT) 3-52
multi-processor mode
enabling/disabling 3-57
MX record 10-4, 10-27, 10-28
N
name servers
boot files 10-4
configuring 10-5
name servers table 10-24
NAT 1-12, 3-49, 4-10
in proxy rules 4-19
netgroup object 4-11
configuring 5-19
netgroups
configuring 5-19
netmap
member 4-11, 5-16
object 5-16
netmap object 4-10
netmask 3-51, 3-53
netprobes
denying 17-17
Netscape
browser 12-21
Netscape browser 9-36, 12-19
netstat 17-22, F-32
netstat command 17-23
network address translation (NAT) 10-3,
10-30
network groups 4-7, 4-18
network interfaces 3-50
report 17-23
network object
destination 4-18
network objects 4-18
configuring 5-10
domain 4-10, 4-18
host 4-10, 4-18
IP address 4-10, 4-18
netgroup 4-11
netmap 4-10
subnet 4-11, 4-18
network probe
ignore 17-17
network probe attempts 17-17
network protection
illustrated 1-2
network security
and VPN 13-3
network service 4-18
networks
connections report 17-22
interfaces report 17-23
process status 17-20
routing tables 17-23
services 1-16
stack separation 1-10
News
feed 8-19
proxy 8-19
proxy redirection 8-21
server configurations 8-20
servers 8-19
newsgroups 8-19
NIC 17-25

NNTP 8-19
nntp proxy 8-11
non-transparent proxies 8-14
Note tag xiv
notify option 10-15, 10-20
nslookup command 17-12
NSS 1-16
nss.common.conf file 1-13
NTP B-1
configurations B-2
flags B-6, B-7
overview B-1
peer B-7
reasons for having stopped F-35
references B-8
restarting F-35
servers and clients B-2
stratum 0 F-35
troubleshooting F-34
version number B-1
ntp proxy 8-11
O
OID
editing 6-44
One-To-Many
considerations 15-2
defining additional secondary
firewalls 15-7
scenario 15-4
One-to-Many
exiting 15-12
managing 15-13
synchronized areas 15-14
online help xiii
operating system (BSD/OS) 1-4
operational kernel 1-4
checking if you’re in 3-11
features 1-5
routing tables 17-23
using remotely 2-2
when to use 3-2
OSPF C-1
configuration C-6
gated C-4
overview C-1
outbound proxy 8-2
P
Index
packages 3-41
pager
event response 17-10
paragraph formats
Caution xiv
Important xiv
Note xiv
Security Alert xiv
password
authentication 5-7
changing 3-9, 9-32, 9-34
changing in the administrative kernel
F-19
how users change their own 9-36
setting user 5-7
what to do if you forget F-19
password authentication 9-6, 9-18
Password Change Server 9-34
patches
failed installation F-23
installing 3-45
loading 3-43
peer-to-peer
high availability 16-8
performance report 17-19
pico editor A-10
ping command 17-12
ping proxy 8-11
planning
network and user groups 4-7
pop proxy 8-11
port
no service 18-28
redirection 8-8
specified in Web browser 12-19
unsupported service 18-28
postmaster 11-6
pre-shared password, defined 13-6
primary name server 10-8
primary-secondary HA 16-5
printer proxy 8-11
process
access to files 1-5
Index In-9

Index
In-10 Index
displaying information 17-20
domain 17-20
domain access 1-7
file access 1-8
processes
CPU time 17-20
report 17-20
status 17-20
promiscuous relaying 11-22, 11-24
proxies
address redirection 8-6
aol 8-9
authentication 9-2
changepw_form 8-9
connection service type 4-18
dns 8-9
enabling and disabling 8-28
finger 8-9
for external-to-internal proxy 8-3
FTP 8-17
ftp 8-9
gopher 8-9
H.323 8-9
HTTP 8-9, 12-4
HTTPS 8-10, 12-4
ica (Citrix) 8-10
IIOP 8-10
imap 8-10
inbound 8-2
indent 8-10
initial set-up 8-9
irc 8-10
lotus 8-10
msn 8-10
mssql 8-10
News 8-19
nntp 8-11
non-transparent 8-14
ntp 8-11
outbound 8-2
overview 1-11, 8-1
ping 8-11
pop 8-11
port redirection 8-8
printer 8-11
real media 8-11
redirection 8-21
rlogin 8-11
rsh 8-11
rtsp 8-11
smtp 8-11
snmp 8-12
socks5 8-12
sql 8-12
ssh 8-12
streamworks 8-12
sunrcp 8-12
t120 8-12
telnet 2-24, 8-11, 8-12, 8-15
transparent 8-14
wais 8-12
Web 12-1
Web proxy considerations 12-12
WebProxy server 8-18
whois 8-12
wins 8-12
Xscreen0 8-13
proxy rules
Administration Services Only 4-25
authentication 4-19
connection service type 4-18
default 4-21
destination burb 4-18
failed connection request F-24
NAT 4-19
optional criteria 4-18
overview 4-17
redirection 4-19
SafeWord groups 7-9
service group 4-12, 4-24
source burb 4-18
Standard Internet 4-25
temporary 7-10, 7-17
time to live option 7-10, 7-17
troubleshooting F-23
ps command 17-20
R
RADIUS authentication 9-8, 9-19
real media proxy 8-11
realtime blackhole list 11-22
rebooting 3-3
to administrative kernel command 3-4

to operational kernel command 3-4
reconfigure
DNS 10-29
mail 11-9
redirecting proxies 8-21
address redirection 7-6, 8-6
port redirection 8-8
redirection 4-10
in proxy rules 4-19
reference material xiii
online help xiii
RFCs xiii
re-imaging
Sidewinder G2 F-17
reinstallation F-17
remote access
clientless VPN 12-3
remote administration
via SSH 2-17
via telnet 2-24
remote certificate 13-40
Remote Identities
defined and configuring 13-35
remote management
Admin Console 3-56
reports
3rd party tools 18-31
daily activity 18-30
mail queues 11-27
monthly activity 18-30
network connections 17-22
network connections/services 17-22
network interfaces 17-23
routing tables 17-23
Strikeback 17-15
VPN activity 18-29
weekly activity 18-30
restarting 3-3
restore F-8, F-11
complete F-9
configuration files 3-13
file types F-4
overview F-8
root filesystem F-11
script command options F-12
shlib directory F-11
restore configuration files
Index
via command line F-14
restricting
access by date and time 4-19
Web access E-1
reverse zones 10-18
RFCs xiii
RIP D-1
configuring D-12
trace and log information D-16
transparent IP addressing D-5
without transparent IP addressing D-8
rlogin proxy 8-11
roles
admin 1-8, 3-5
adminro 3-5
deleting 3-7
exiting 3-12
restore F-9
switching 3-12
roles.conf file 3-7
rollaudit A-17
rollaudit.conf file A-16
root 1-5, 1-8
restoring filesystem
restoring F-11
rotating files 18-22, A-15
routed D-3
configuring D-12
filter D-14
flushing filter routes D-16
routes
default 3-54
static 3-54
routing
dynamic (OSPF) C-1
dynamic (RIP) D-1
routing tables report 17-23
rsh proxy 8-11
rtsp proxy 8-11
rule
sort 18-26
rule elements 4-6
network objects 4-9
planning for 4-7
user groups 4-8
users 4-8
rules
Index In-11

Index
In-12 Index
default proxy 4-21
IP Filter 4-28
proxy 4-17
run levels 1-14
S
safe mode 1-13
SafeWord PremierAccess
authentication 9-6, 9-21
SafeWord RemoteAccess
authentication 9-6
SafeWord user groups 7-9
scanner
service 3-34
SCEP 13-34, 13-38, 13-41, 13-42
scripts
/etc/daily 18-30
/etc/monthly 18-30
/etc/weekly 18-30
creating your own A-14
cron A-15
do.dump F-5, F-9
do.restore F-11
level0.backup F-5
sdconf.rec file 9-23
secondary name server 10-8
secure shell (SSH) 2-17
Secure Web
Application Defenses 6-4
SecureClient certificates
importing 13-48
SecureOS 1-1, 1-10
SecurID authentication 9-8, 9-22
security 1-5
and VPN 13-3
Security Alert tag xiv
security association
VPN 13-51
Security Parameters Index (SPI)
using manual key exchange 13-62
SEF 18-12, 18-31
sendmail 11-6
blackhole list 11-22
configuration 11-10
header stripping 11-22
m4 macros 11-10
promiscuous relaying 11-22, 11-24
RealTime Blackhole list 11-24
version 11-10
sendmail.cf files 11-10
serial number (DNS) 10-22
server.conf file A-11, D-16
servers
connection service type 4-18
DNS 10-7
enabling/disabling 3-30
mail 11-2, 11-6
News 8-19, 8-20
telnet 2-24, 2-25
Web 12-2, 12-3
service group 4-12, 4-18, 4-24
service groups
configuring 5-21
example 4-13
service type 4-18
shlib directory F-11
shun server 3-39
shund 3-39
shutdown 3-3
Sidewinder G2
administrator interfaces 2-2
authentication methods 9-3
configuration using cf command A-1
defined 1-1
filesystems F-5
general system tasks 3-1
kernels 1-4
NTP B-1
re-imaging F-17
SNMP agent 14-1
Sidewinder Hosted
DNS 10-2
sighup command 1-16
single sign-on (SSO)
authentication 9-27
site.txt file
SmartFilter E-8
size filter 6-23
slave zone 10-18
SmartFilter
control list 12-14, E-1
controlling Web access E-1
sample Control List E-2

smartfilter.site file E-9
SMTP 11-2
ACL rule checking 11-8
configuration 11-7
configuring servers 11-8
secure split servers 11-2
transparent mail 11-1
smtp proxy 8-11
SNK authentication 9-8, 9-24
SNMP 6-42, 14-1
agent 14-1
alarm trap 14-4
authentication header 14-3
basic information 14-1
community names 14-3
configuring agent on the firewall 14-8
enabling/disabling agent 14-8
management information base (MIB)
14-3
proxy 8-12
traps 14-4
SOA record 10-21
SOCKS proxy 6-41
socks5 proxy 8-12
SoftRemote 13-8, 13-44
software authenticator 9-4
software packages 3-41
installing 3-45
sounds F-21
source burb 4-18
spam
see anti-spam filter 11-13
SPI (Security Parameters Index)
using manual key exchange 13-62
SPI index 13-63
split DNS 10-7, 10-8
sql proxy 8-12
Squid 8-18, 12-18, A-18
squid.conf.template file 12-18
srole command 3-12, 18-28
SSH 2-17
client 2-20
enabling server 2-18
proxy 8-12
server 2-22
SSL decryption 6-5, 8-18
SSO
Index
authentication 9-27
stacks 1-10
standard
Application Defenses 6-45
Standard Internet
proxy rules 4-25
startup
kernel 1-4
State Change Wizard 2-9, 2-11
HA create cluster 16-8
HA join existing 16-13
HA remove primary 16-17
One-To-Many add primary 15-6
One-To-Many add secondary 15-9
One-To-Many remove primary 15-13
stateful inspection 1-12
static route 3-54
status
process 17-20
status reports
routing tables 17-23
stratum 0 F-35
streamworks proxy 8-12
Strikeback 17-14
command options 17-11
configuring 17-1
sample results 17-15
timeout option 17-13
strikeback_wait_time option 17-12
strong authentication 9-3
Strong Cryptography 6-7, 12-8
sub-domain (DNS) 10-23
subnet
network object 4-18
subnet object 4-11
configuring 5-17
sunrcp proxy 8-12
super-user 1-5, 1-8
support for multiple networks 1-2
syslog 18-21
audit messages 18-22
configuration file 18-22
syslogd 18-22
file rotation 18-22
system boot 1-4
system calls 1-7
system reboot
Index In-13

Index
In-14 Index
T
messages F-17
T.120 proxy 8-12, 8-22
TCP checksum offload 3-50
TCP connections 17-22
maximum segment size 8-33
tcpdump F-34, F-36
telnet
defined 2-24
no connection 8-16
proxy 2-24, 8-11, 8-12, 8-15
server 2-24
server setup 2-25
time (setting) 3-9
traceroute command 17-12
transparent
DNS 10-2, 10-9
mail (SMTP) 11-1
proxies 8-14
transport mode 13-54
traps within SNMP 14-4
troubleshooting
NTP F-34
proxy rules F-23
TTL value (DNS) 10-22
tunnel mode 13-6, 13-54
Type Enforcement 1-4
administrative kernel 1-8
defined 1-6
directory types A-12
dump function F-4
effects 1-8
file types A-12
how it works 1-5
restore F-4
sendmail 11-5
U
UDP connections 17-22
uname -a
command 3-11
unbound DNS server 10-7
UNIX
editing files A-11
security 1-5
text editors A-11
UPS (Uninterruptible Power Supply) 3-58
uptime command 17-19
Usenet News 8-19
user groups 4-7, 4-8
authentication 4-8
configuring 5-3
displaying 5-1
in proxy rules 4-19
membership 5-8
user passwords 5-7
users
changing password 3-9
displaying 5-1
using the Admin Console 3-3
V
var/log directory
backup.log F-5
daily.out A-15
monthly.out A-16
weekly.out A-16
wtmp file A-16
var/log/audit.raw file 10-36
var/log/daemon.log file 10-36
var/log/daily.out file 18-30
var/log/monthly.out file 18-30
var/log/weekly.out file 18-30
var/spool/mqueue.0 11-5, 11-27
var/spool/mqueue.1 11-5, 11-27
var/spool/mqueue.c 11-5, 11-27
version
sendmail 11-10
vi editor
commands A-10
using A-10
virtual burb 13-15
virus scanning 3-34
vmstat command 17-19
VPN
AH keys 13-63
algorithms 13-63
and SecureClient 13-7
association 13-51

certificate authority 13-27
certificate management daemon 13-
14
certificate server 13-13
client 13-7
client address pools 13-18
client ID 13-27
clientless 8-18, 12-3
embedded 13-1
Extended Authentication 13-8
firewall certificate 13-37
fixed IP 13-25
hardware acceleration 13-7
how it works 13-4
IKE 13-1
ISAKMP server 13-11
key types 13-4
LDAP 13-48
public CA server 13-32
remote certificate 13-40
Remote Identities 13-35
scenarios 13-65
security association 13-51
SPI 13-63
transport mode 13-6
tunnel mode 13-6
understanding 13-1
VPN report 18-29
W
wais proxy 8-12
warder 9-9
weak authentication 9-3
Web
access 12-1
access via proxy 12-2, 12-3
Application Defenses 6-4
browser 12-6, 12-10
caching 12-11
configuring the Squid caching proxy
12-11
configuring Web proxy on port 80 12-
7
implementation options 12-3
restricting access to E-1
SmartFilter 12-10
Index
Web proxy 12-1
Web servers 12-2, 12-3
WebProxy server 8-18, 9-32, 9-36, 12-
4, 12-10, 12-12
options 12-15
transparent/non-transparent mode
12-18
WebTrends 18-31, 18-33
weekly system activity report 18-30
whereami
command 3-12
whitelist
configuring for anti-spam 11-13
whois command 8-12, 17-25
whois proxy 8-12
Windows Domain
authentication 9-8, 9-26
wins proxy 8-12
WINS server 13-23
X
X Windows
pre-defined proxy 8-13
Xscreen0 proxy 8-13
Z
zones 10-16
Index In-15

Index
In-16 Index

The Sidewinder G2 ® Security Appliance is the most comprehensive
gateway security appliance in the world, with the strongest credentials
of any leading all-in-one firewall or Unified Threat Management security
appliance (as tracked by IDC and Gartner). This market leading Internet
security appliance protects your applications and networks against the
entire threat matrix competely and reliably—and at Gigabit speeds. This
appliance consolidates the widest variety of gateway security functions
in one system, reducing the complexity of managing a total perimeter
security solution. These security functions include our unprecedented
Application Defenses firewall with embedded anti-virus, anti-spam,
traffic anomaly detection, IDS/IPS, and a whole host of other critical
protective features described below.
Sidewinder G2 includes the only firewall that has never had a CERT
advisory posted against it in over 10 years—a truly remarkable
accomplishment. It recently achieved the highest level of EAL4+
Common Criteria certification possible (far stronger than other vendors’
EAL4 ratings). As a result, your Sidewinder G2 provides you with defensein-depth
protections against the entire threat matrix around the clock.
Secure Computing Corporation
www.securecomputing.com
Corporate Headquarters
4810 Harwood Road
San Jose, Ca 95124 USA
Tel +1.800.379.4944
Tel +1.408.979.6100
Fax +1.408.979.6501
European Headquarters
East Wing, Piper House
Hatch Lane
Windsor SLl4 3QP UK
Tel +44.1753.410900
Fax +44.1753.410901
SWOP-MN-ADMN61-C
Asia/Pac Headquarters
1604-5 MLC Tower
248 Queen’s Road East
Wan Chai, Hong Kong
Tel +852.2520.2422
Fax +852.2587.1333
Japan Headquarters
Level 15 JT Bldg.
2-2-1 Toranomen Minato-Ku
Tokyo 105-0001 Japan
Tel +81.3.5114.8224
Fax +81.3.5114.8226
ADDITIONAL SECURITY
SOLUTIONS FROM
SECURE COMPUTING
SIDEWINDER G2 ENTERRPISE MANAGER
Sidewinder G2 ® Enterprise Manager from
Secure Computing is an enterprise strong ®
security appliance that delivers single-point
policy management for hundreds of distributed
Sidewinder G2 systems, and a simple Power-It-On deployment. It provides a robust audit repository,
and is managed remotely from an intuitive
Windows-based software package. It makes central
management of complex hierarchical policies a
reality. SQL database architecture enables you to
customize the software to group firewalls in any
way that is meaningful to your organization, goals,
and mission.
SMARTFILTER PRODUCTS
SmartFilter ® products (SmartFilter, Sentian , and
Bess ® ) enable organizations to understand and
monitor their Internet use, while taking effective
steps to provide appropriate control over outbound
Web access.
SAFEWORD PRODUCTS
SafeWord ® products provide Strong authentication
technology that positively identifies users and
eliminates the password risk—ensuring that only the
right people can make connections to your business.
© 2005 Secure Computing Corporation. All Rights Reserved. Secure Computing,
SafeWord, Sidewinder, SmartFilter, Type Enforcement, SofToken, SecureSupport,
SecureOS, MobilePass, G2 Firewall, Bess, Sidewinder G2, enterprise strong,
PremierAccess, and Strikeback are trademarks of Secure Computing Corporation,
registered in the U.S. Patent and Trademark Office and in other countries.
G2 Enterprise Manager, Application Defenses, RemoteAccess, On-Box, Power-It-On!,
Sentian, and Securing connections between people, applications, and networks are
trademarks of Secure Computing Corporation. All other trademarks used herein
belong to their respective owners.