WORKING WITH THE SMARTDASHBOARD
WORKING WITH THE SMARTDASHBOARD
WORKING WITH THE SMARTDASHBOARD
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
<strong>WORKING</strong> <strong>WITH</strong> <strong>THE</strong> <strong>SMARTDASHBOARD</strong><br />
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .<br />
Objectives<br />
Key Term<br />
. . . . .<br />
5<br />
VPN-1/FireWall-1 gives you the ability to manipulate how you view your Rule<br />
Base, by:<br />
• Masking (hiding) rules<br />
Viewing hidden rules<br />
Disabling rules<br />
In addition to hiding and unhiding rules, VPN-1/FireWall-1 allows you to<br />
perform the following:<br />
Install and uninstall a Security Policy<br />
Improve VPN-1/FireWall-1 performance via a Security Policy<br />
1 Demonstrate how to perform the following:<br />
Hide and unhide rules<br />
View hidden rules<br />
Define a rule mask<br />
Apply rule masks<br />
2 Show how to install and uninstall a Security Policy<br />
3 List the guidelines for improving VPN-1/FireWall-1 performance, using a Security<br />
Policy.<br />
Masking rules<br />
129<br />
Chapter 5
5<br />
Overview<br />
130<br />
<strong>WORKING</strong> <strong>WITH</strong> <strong>THE</strong> <strong>SMARTDASHBOARD</strong><br />
Masking Rules<br />
MASKING RULES<br />
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .<br />
During Rule Base maintenance or troubleshooting, you can make viewing a<br />
Rule Base easier by hiding rules you do not want to see. This is called masking<br />
rules. Masking rules is useful for viewing a few rules, without being distracted<br />
by other rules. These masked or hidden rules remain part of the Rule Base, and<br />
are installed when the Security Policy is installed. To hide a rule or rules, first<br />
select the rule(s), then select the Rules > Hide option from the menu bar.<br />
When hiding individual rules, all other rules remain visible, but<br />
their rule numbers do not change.<br />
Viewing Hidden Rules<br />
If View Hidden in the Rules > Hide menu is checked, then all rules selected as<br />
hidden are displayed in the Rule Base, together with the other rules.<br />
A thick, grey, horizontal line indicates the presence of hidden rules.<br />
Hidden Rules not Displayed<br />
Whether they are displayed or not, hidden rules are enforced<br />
when the Security Policy is installed.
<strong>WORKING</strong> <strong>WITH</strong> <strong>THE</strong> <strong>SMARTDASHBOARD</strong><br />
Masking Rules<br />
. . . . .<br />
When they are revealed, rules set as hidden are colored differently from other<br />
rules. Different coloring makes it easy to identify rules set as hidden, when<br />
those rules are revealed.<br />
Hidden Rule Displayed<br />
Revealing Hidden Rules<br />
To remove the hide setting for all hidden rules, select Unhide All from the<br />
Rules > Hide menu.<br />
131
5<br />
Disabling a Rule<br />
132<br />
<strong>WORKING</strong> <strong>WITH</strong> <strong>THE</strong> <strong>SMARTDASHBOARD</strong><br />
Disabling and Enabling Rules<br />
DISABLING AND ENABLING RULES<br />
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .<br />
When you disable a rule, it is not disabled until the Security Policy is installed.<br />
The rule remains in the Rule Base, and can be enabled later. This is useful for<br />
testing and troubleshooting firewall issues. To disable rules, follow these steps:<br />
1 Disable all rules suspected of causing the issue.<br />
2 Reinstall your Security Policy.<br />
3 Test to see if disabling rules solves the issue.<br />
4 Enable rules one at a time, to see which rule is causing the issue.<br />
5 Reinstall the Security Policy.<br />
Do not forget to reinstall your Security Policy after<br />
disabling/enabling any rules!<br />
To disable a rule, follow these steps:<br />
1 Right-click the selected rule’s number, and select Disable Rule.<br />
2 Save and install the Security Policy.<br />
When a rule is disabled, a large red “X” is displayed over its rule number.<br />
Disabled Rule
Enabling a Disabled Rule<br />
To enable a disabled rule, follow these steps:<br />
<strong>WORKING</strong> <strong>WITH</strong> <strong>THE</strong> <strong>SMARTDASHBOARD</strong><br />
Disabling and Enabling Rules<br />
1 Select the disabled rule by Right-clicking on its number, and selecting Disable<br />
Rule (to deselect).<br />
2 Save and reinstall the Security Policy.<br />
Adding Section Titles<br />
Large rule bases can be organized into groups of rules to make administration<br />
easier. A title can be added to indicate the rule group. To add a section title:<br />
1 Select Rules from the Menu, and choose Add Section Title.<br />
2 Select the Title placement, above or below the rule.<br />
3 Type the Header information, and click OK.<br />
Section Titles<br />
. . . . .<br />
133
5<br />
134<br />
<strong>WORKING</strong> <strong>WITH</strong> <strong>THE</strong> <strong>SMARTDASHBOARD</strong><br />
Uninstalling a Security Policy<br />
UNINSTALLING A SECURITY POLICY<br />
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .<br />
The Uninstall Security Policy screen lists all internal firewalled hosts and<br />
routers. By default, all internal firewalled hosts and routers are already selected.<br />
To uninstall a Security Policy, use the following steps:<br />
1 Click Policy > Uninstall from the Security SmartDashboard main screen.<br />
2 Click Select All, to select all the items in the screen. You may clear specific items.<br />
The Security Policy will not be removed from cleared items.<br />
The Uninstall Policy screen<br />
3 Click OK to uninstall the Security Policy.<br />
4 Once the Close button appears, click Close, to return to the SmartDashboard.<br />
When the Security Policy is uninstalled, traffic will not pass<br />
through the Enforcement Modules. Also, the gateways are<br />
exposed without having a Security Policy installed.
SmartCenter Server<br />
Enforcement Module<br />
<strong>WORKING</strong> <strong>WITH</strong> <strong>THE</strong> <strong>SMARTDASHBOARD</strong><br />
Improving VPN-1/FireWall-1 Performance<br />
. . . . .<br />
IMPROVING VPN-1/FIREWALL-1<br />
PERFORMANCE<br />
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .<br />
Installation time for creating network objects can often be decreased by listing<br />
machine names and IP addresses in the hosts files:<br />
(Solaris) /etc/hosts<br />
(Windows) \winnt\system32\drivers\etc\hosts<br />
VPN-1/FireWall-1 performance depends on hardware, the Security Policy, and<br />
the characteristics of network traffic. While the enforcement Module is<br />
inspecting packets, the amount of time a packet spends in the kernel increases.<br />
The conclusion is that VPN-1/FireWall-1 has an impact on latency, and<br />
connection or transaction latency, has less impact on bandwidth.<br />
The following suggestions are guidelines for improving performance of<br />
Security Policies:<br />
1 Keep the Rule Base simple. Performance degrades with a very large number of<br />
rules, or when the rules are complex.<br />
2 Try to position the most frequently applied rules near the top of the Rule Base.<br />
The firewall reads the Rule Base in order, so putting the most frequently applied<br />
rules first will speed up the process. For example, if most connections are HTTP<br />
packets, the rule that accepts HTTP should be near the top of the Rule Base. Be<br />
sure to keep this rule as simple as possible. Client Authentication rules should<br />
always be placed before the Stealth Rule, as they need direct access to the<br />
firewall.<br />
3 Do not log unnecessary connections.<br />
4 Use a network object in place of many workstation node objects.<br />
5 Use IP address ranges in rules, instead of a set of workstation nodes (address<br />
ranges are discussed in the NAT chapter)<br />
135
5<br />
136<br />
<strong>WORKING</strong> <strong>WITH</strong> <strong>THE</strong> <strong>SMARTDASHBOARD</strong><br />
Improving VPN-1/FireWall-1 Performance