Symantec 360R Administration Guide

Symantec 360R - Security Gateway SGS Manual

Get Symantec 360R - Security Gateway SGS PDF manuals and user guides
UPC - 037648240185
View all Symantec 360R manuals
Add to My Manuals
Save this manual to your list of manuals

Symantec 360R manual content summary:

  • Symantec 360R | Administration Guide - Page 1
    Symantec™ Gateway Security 300 Series Administrator's Guide Supported models: Models 320, 360, and 360R
  • Symantec 360R | Administration Guide - Page 2
    mentioned in this manual may be trademarks or registered trademarks of their respective companies and are hereby acknowledged. Printed in the United States of America. 10 9 8 7 6 5 4 3 2 1 Technical support As part of Symantec Security Response, the Symantec global Technical Support group maintains
  • Symantec 360R | Administration Guide - Page 3
    Support program ■ Advanced features, such as the Symantec Alerting Service and Technical Account Manager role, offer enhanced response and proactive security support , and IP address information ■ Problem description ■ Error messages/log files ■ Troubleshooting performed prior to contacting Symantec
  • Symantec 360R | Administration Guide - Page 4
    Service To contact Enterprise Customer Service online, go to www.symantec.com/ techsupp/, select the appropriate Global Site for your country, then select the enterprise Continue link. Customer Service Information on Symantec Value License Program ■ Advice on Symantec's technical support options ■
  • Symantec 360R | Administration Guide - Page 5
    Contents Chapter 1 Chapter 2 Chapter 3 Introducing the Symantec Gateway Security 300 Series Intended audience 12 Where to DHCP ...30 PPPoE ...31 Static IP and DNS 34 PPTP ...36 Dial-up accounts 39 Configuring advanced connection settings 43 Advanced DHCP settings 43 Advanced PPP settings 44
  • Symantec 360R | Administration Guide - Page 6
    64 Defining computer group membership 65 Defining computer groups 67 Defining inbound access 68 Defining outbound access 69 Configuring services 72 Redirecting services 73 Configuring special applications 74 Configuring advanced options 76 Enabling the IDENT port 76 Disabling NAT mode 77
  • Symantec 360R | Administration Guide - Page 7
    Contents 7 Chapter 7 Chapter 8 Chapter 9 Understanding Gateway-to-Gateway tunnels 88 Configuring dynamic Gateway-to-Gateway tunnels 91 Configuring static Gateway-to-Gateway tunnels 93 Sharing information with the remote gateway administrator 96 Configuring Client-to-Gateway VPN tunnels 96
  • Symantec 360R | Administration Guide - Page 8
    133 Backing up and restoring configurations 133 Resetting the appliance 135 Interpreting LEDs 136 LiveUpdate and firmware upgrade LED sequences 139 Troubleshooting About troubleshooting 141 Accessing troubleshooting information 143 Licensing Session licensing for Symantec Gateway Security 300
  • Symantec 360R | Administration Guide - Page 9
    field descriptions 177 Computer Groups tab field descriptions 179 Inbound Rules field descriptions 180 Outbound Rules tab field descriptions 181 Services tab field descriptions 182 Special Application tab field descriptions 183 Advanced tab field descriptions 186 VPN field descriptions 187
  • Symantec 360R | Administration Guide - Page 10
    10 Contents
  • Symantec 360R | Administration Guide - Page 11
    Intended audience ■ Where to get more information The Symantec Gateway Security 300 Series appliances are Symantec's integrated security solution for small business environments, with support for secure wireless LANs. The Symantec Gateway Security 300 Series provides integrated security by offering
  • Symantec 360R | Administration Guide - Page 12
    an Internet browser. Where to get more information The Symantec Gateway Security 300 Series functionality is described in the following manuals: ■ Symantec™ Gateway Security 300 Series Administrator's Guide The guide you are reading, this guide describes how to configure the firewall, VPN, AntiVirus
  • Symantec 360R | Administration Guide - Page 13
    Gateway Management Interface (SGMI). The SGMI is a standalone management console for locale management and log viewing. This guide describes how to use the SGMI to manage Symantec Gateway Security 300 Series appliances. The SGMI is a browser-based console where you can create configurations, view
  • Symantec 360R | Administration Guide - Page 14
    are located on the left side of the window at all times. Figure 2-1 Security Gateway Symantec Gateway Security 300 Series Wireless Implementation Guide for more information. Use one of the following supported the instructions in the Symantec Gateway Security 300 Series Quick Start Card before connecting
  • Symantec 360R | Administration Guide - Page 15
    360/360R Number of WAN ports 1 2 Number of LAN ports 4 8 Number of serial (modem) ports 1 1 To connect to the SGMI 1 Browse to the IP address of the appliance. The default appliance IP address is 192.168.0.1. 2 On your keyboard, press Enter. The Security Gateway Management Interface window
  • Symantec 360R | Administration Guide - Page 16
    limits access to the SGMI to people who have been given the password. You must have installed the appliance and connected your browser to the SGMI to set the password. See the Symantec Gateway Security 300 Series Installation Guide , as well as perform a manual reset or reset the appliance through
  • Symantec 360R | Administration Guide - Page 17
    reset the password 1 On the back of the appliance, press the reset button for 10 seconds. 2 Repeat the configure a password procedure. See "To manually reset the password" on page 17. Configuring remote management You can access the SGMI remotely from the WAN side using a computer with an IP
  • Symantec 360R | Administration Guide - Page 18
    18 Administering the security gateway Managing administrative access Figure 2-2 shows a remote management configuration. Figure 2-2 Remote management SGMI Internet Symantec Gateway Security 300 Series appliance Protected devices To configure remote management, specify both a start and end IP
  • Symantec 360R | Administration Guide - Page 19
    to the appliance's firmware from the configured IP address range, check Allow Remote Firmware Upgrade. The default is disabled. See "Upgrading firmware manually" on page 129. 5 Click Save. 6 To access the SGMI remotely, browse to the :8088, where is
  • Symantec 360R | Administration Guide - Page 20
    1 None 8 Connect to the appliance. 9 After the terminal has connected to the appliance, on the rear panel of the appliance, quickly press the reset button. 10 At the prompt, do one of the following: Local IP Address Type 1 to change the IP address of the appliance. Local Network Mask Type 2 to
  • Symantec 360R | Administration Guide - Page 21
    IP address, or finish IP address, do the following: ■ Type the new value for the setting you are changing. ■ Press Enter. 12 If you are restoring the default values for the appliance, press Enter. 13 Type 7. The appliance restarts. 14 On the rear of the appliance, turn DIP switch 3 to the
  • Symantec 360R | Administration Guide - Page 22
    22 Administering the security gateway Managing the security gateway using the serial console
  • Symantec 360R | Administration Guide - Page 23
    connectivity on the WAN ports using the WAN/ISP windows or using the Setup Wizard, which is run the Symantec Gateway Security 300 Series Installation Guide for worksheets to plan the configuration. Symantec Gateway Security 300 Series model 320 has one WAN port to configure. Models 360 and 360R
  • Symantec 360R | Administration Guide - Page 24
    HA/LB). Network examples Figure 3-1 shows a network diagram of a Symantec Gateway Security 300 Series that is connected to the Internet. The termination type. This is a device that may be provided by your Internet Service Provider (ISP), or a network switch. The computer used for appliance
  • Symantec 360R | Administration Guide - Page 25
    network 25 Network examples Management Interface (SGMI). The protected network communicates through the Symantec Gateway Security 300 Series appliance to the Internet. Figure 3-1 Connection to the Internet Internet Termination point Symantec Gateway Security 300 Series SGMI Protected network
  • Symantec 360R | Administration Guide - Page 26
    an enclave of the larger internal network from unauthorized internal users. Enclave traffic from the protected network passes through the Symantec Gateway Security 300 Series and through the Symantec Gateway Security 5400 Series to the Internet. Figure 3-2 Connection to internal network Internet
  • Symantec 360R | Administration Guide - Page 27
    the WAN/ISP > Main Setup window, click Run Setup Wizard. See the Symantec Gateway Security 300 Series Installation Guide for more information. Warning: Symantec Gateway Security 300 Series models 360 and 360R appliances have two WAN ports, WAN 1 and WAN 2. The model 360 and 360R appliances support
  • Symantec 360R | Administration Guide - Page 28
    Applies to both WAN1 and WAN2. See "DNS gateway" on page 53. Alive Indicator Configure an alive indicator for each WAN port. "Dial-up accounts" on page 39 or "Configuring advanced WAN/ISP settings" on page 50. Routing Configure routing for each WAN port. See "Configuring routing" on page
  • Symantec 360R | Administration Guide - Page 29
    cables to the WAN ports. The following tables describe the supported connection types. The Connection type column is the option button you click on the Main Setup tab or in the Setup Wizard. The Services column is the types of accounts or protocols that are associated with the connection type. The
  • Symantec 360R | Administration Guide - Page 30
    T1 Direct Ethernet connection PPTP Cable modem DSL modem Channel Service Unit/Digital Service Unit (CSU/DSU) Ethernet cable (usually an enclave network server (DHCP server). In the case of a dedicated Internet account, the users are the clients extracting information from the ISP's Setup window.
  • Symantec 360R | Administration Guide - Page 31
    such as a DSL account. You can specify whether you connect or disconnect your PPPoE account manually or automatically. This 360 and 360R. LAN hosts are bound to a session on the Computers tab. See "Configuring LAN IP settings" on page 57. Note: Multiple IP addresses on a WAN port are only supported
  • Symantec 360R | Administration Guide - Page 32
    the PPPoE account. To configure PPPoE See "PPPoE tab field descriptions" on page 166. 1 In the SGMI, in the left pane, click WAN/ISP. 2 For model 320, do the following: ■ In the right pane, on the Main Setup tab, under Connection Type, click PPPoE (xDSL). ■ Click Save. 3 For model 360 or 360R, do
  • Symantec 360R | Administration Guide - Page 33
    0. 9 Under Choose Service, click Query Services. You must be disconnected from your PPPoE account to use this feature. See "Connecting manually to your PPPoE account" on page 34. 10 From the Service drop-down list, select a PPPoE service. You must click Query Services to select a service. 11 In the
  • Symantec 360R | Administration Guide - Page 34
    connect or disconnect from your PPPoE account. For model 360 or 360R, you can manually control the connection for either WAN port. This is useful to troubleshoot the connection to the ISP. To manually control your PPPoE account You can manually control your PPPoE account through the SGMI. See "PPPoE
  • Symantec 360R | Administration Guide - Page 35
    use. You must enter at least one DNS if you have a static IP account. See "Static IP & DNS tab field descriptions" on page 165. To configure side of the Symantec Gateway Security 300 Series appliance. ■ In the Network Mask text box, type the network mask. Change this only if your ISP requires it. ■
  • Symantec 360R | Administration Guide - Page 36
    connectivity PPTP 5 For model 360 or 360R, do the following: ■ IP address of the external (WAN) side of the Symantec Gateway Security 300 Series appliances. ■ In the Network address assigned to your account. ■ Account information User name and password to log in to the account. To configure PPTP
  • Symantec 360R | Administration Guide - Page 37
    Main Setup tab, under Connection Type, click PPTP. ■ Click Save. 3 For model 360 or 360R, do the following: ■ Under WAN1 (External), in the Connection Type drop-down list account user name. 9 In the Password text box, type your ISP account password. 10 In the Verify text box, type your ISP account
  • Symantec 360R | Administration Guide - Page 38
    control the connection for either WAN port. This is helpful for troubleshooting connectivity. To manually connect to your PPTP account For model 320, you can connect or disconnect to your PPTP account. For model 360 or 360R, you select the WAN port to control, and then connect or disconnect. See
  • Symantec 360R | Administration Guide - Page 39
    port to connect. ■ Under Manual Control, click Disconnect. Dial-up accounts There are two basic types of dial-up accounts: analog and ISDN. Analog uses Symantec Gateway Security model 320 appliance Serial port Figure 3-4 shows the serial port on the rear panel of the model 360 and 360R appliances.
  • Symantec 360R | Administration Guide - Page 40
    3-4 Rear panel of Symantec Gateway Security model 360 and 360R appliances Serial port Before configuring the appliance to use your dial-up account as either the primary port on the back of the appliance. 3 If it requires external power, plug the modem into a wall socket. 4 Turn on the modem.
  • Symantec 360R | Administration Guide - Page 41
    . 3 Click Save. 4 On the Dial-up Backup & Analog/ISDN tab, under ISP Account Information, do the following: User Name Type the account user name. Password Type the account password. Verify Password Retype the account password. Dial-up Telephone 1 Type the dial-up telephone number. Dial-up
  • Symantec 360R | Administration Guide - Page 42
    You can force the appliance to connect or disconnect from your dial-up account. This is helpful for verifying connectivity. To manually control the dial-up account See "Dial-up Backup & Analog/ISDN tab field descriptions" on page 167. 1 In the SGMI, in the left pane, click WAN/ISP. 2 To connect
  • Symantec 360R | Administration Guide - Page 43
    To refresh the dial-up account status, on the Dial renew request, which tells the ISP to allocate a new IP address to the appliance. You can tell the appliance at any time to request a new IP address, by forcing a DHCP renew. However, you should only do this if requested by Symantec Technical Support
  • Symantec 360R | Administration Guide - Page 44
    the idle renew time and manually force a DHCP renew request. See "Advanced tab field descriptions" on page 175. To configure idle renew 1 In Renew. 3 For model 360 or 360R, do one of the following: ■ To renew WAN1, on the Advanced tab, under Optional Connection Settings, click Renew WAN1. ■ To renew
  • Symantec 360R | Administration Guide - Page 45
    appliance along the transmission path requires a smaller MTU. On models 360 and 360R, if you are configuring support two types of dynamic DNS services: standard and TZO. You can configure either service by specifying account information, or you can disable dynamic DNS completely. See the Symantec
  • Symantec 360R | Administration Guide - Page 46
    320, skip to step 4. ■ For model 360 and 360R, in the WAN Port drop-down list, select the WAN port for which you are configuring TZO. 4 Under TZO Dynamic DNS Service, do the following: ■ In the Key text box, type the key that TZO sent when the account was created. ■ In the Email text
  • Symantec 360R | Administration Guide - Page 47
    , the appliance sends its current IP address, host name, and domain to the service. Do this only if requested by Symantec Technical Support. For model 320, you can force a dynamic DNS update for the WAN port. For model 360 or 360R, you can force a dynamic DNS update for WAN1, WAN2, or both ports. To
  • Symantec 360R | Administration Guide - Page 48
    Type, click Disable. 3 For model 360 or 360R, do the following: ■ On the Dynamic DNS tab, under Service Type, in the WAN Port dropdown list, select the WAN port to disable. ■ Click Disable. 4 Click Save. Configuring routing If you install Symantec Gateway Security 300 Series appliances on a network
  • Symantec 360R | Administration Guide - Page 49
    Configuring a connection to the outside network 49 Configuring routing To enable dynamic routing See "Routing tab field descriptions" on page 174. 1 In the SGMI, in the left pane, click WAN/ISP. 2 On the Routing tab, under Dynamic Routing, check Enable RIP v2. 3 Click Save. Configuring static route
  • Symantec 360R | Administration Guide - Page 50
    also set optional network settings, which identify the appliance to a network. Note: Model 320 appliances have one WAN port and do not support high availability, load balancing, and bandwidth aggregation. High availability You can configure high availability for each WAN port in one of three ways
  • Symantec 360R | Administration Guide - Page 51
    high availability mode. ■ To configure the WAN2 port, under WAN2, select a high availability mode. 3 Click Save. Load balancing Symantec Gateway Security 300 Series model 360 and 360R appliances each have two WAN ports. On these appliances, you can configure high availability and load balancing (HA
  • Symantec 360R | Administration Guide - Page 52
    to your clients. After the amount of time that you specify (for example, 10 seconds), the appliance issues a PING command to the URL you specify as fails over to the serial port, which is connected to a modem. On model 360 or 360R, if one of the WAN ports fails, the security gateway fails over to
  • Symantec 360R | Administration Guide - Page 53
    Status tab and an alternate route for traffic is attempted. See "Dial-up accounts" on page 39 to configure failover for a dial-up account. See "Connecting manually to your PPPoE account" on page 34 to configure a echo request for accounts that use PPP. To configure failover See "Main Setup tab field
  • Symantec 360R | Administration Guide - Page 54
    broadband cable (DHCP) services. You can clone your computer's adapter address to connect to your ISP with the Symantec Gateway Security 300 Series. Symantec Gateway Security 300 Series Wireless Implementation Guide. For model 320, you configure the settings for the WAN port. For model 360 or 360R
  • Symantec 360R | Administration Guide - Page 55
    domain name for the appliance. ■ In the MAC Address text boxes, type the WAN network adapter address (MAC) that you are cloning. 3 For model 360 and 360R, do the following: ■ To configure WAN1 or WAN 2, in the right pane, on the Main Setup tab, under Optional Network Settings, under WAN1 (External
  • Symantec 360R | Administration Guide - Page 56
    56 Configuring a connection to the outside network Configuring advanced WAN/ISP settings
  • Symantec 360R | Administration Guide - Page 57
    server ■ Configuring port assignments LAN settings let you configure your Symantec Gateway Security 300 Series appliance to work in a new or use a static IP address. Note: Model 320 has four LAN ports. Models 360 and 360R have eight LAN ports. For each port, you must specify the port settings
  • Symantec 360R | Administration Guide - Page 58
    the appliance's IP address to 10.10.10.x, so you do not computers on the LAN without manually assigning each computer its own the LAN and is useful if you have a limited number of IP addresses available. Each time a number of clients to support, plus two. For example, if you support 50 clients on
  • Symantec 360R | Administration Guide - Page 59
    Address End IP Address 320 50 360 75 192.168.0.2 192.168.0.2 192.168.0.76 192.168.0.76 The DHCP server only supports class C networks. Class C DHCP IP addresses. Also, you may want to assign static IP addresses to some services. For example, if you have a Web server on your site, you want to
  • Symantec 360R | Administration Guide - Page 60
    as a wireless access point to a LAN port, you can secure the wireless connection using VPN technology. See the Symantec Gateway Security 300 Series Wireless Implementation Guide. Once a port assignment is set, the untrusted ports enable and enforce encrypted VPN traffic, using global tunnels to the
  • Symantec 360R | Administration Guide - Page 61
    engine unless it was specifically designated for it. This option does not support client VPN tunnels terminating at the LAN. When a LAN port is 3 Click Save. The appliance reboots when the port settings are saved. To restore port assignment default settings 1 In the SGMI, in the left pane, click
  • Symantec 360R | Administration Guide - Page 62
    62 Configuring internal connections Configuring port assignments
  • Symantec 360R | Administration Guide - Page 63
    services ■ Configuring special applications ■ Configuring advanced options The Symantec Gateway Security 300 Series appliance includes firewall technology that let you configure the firewall component to meet your security policy requirements Symantec Gateway Security 300 Series Installation Guide.
  • Symantec 360R | Administration Guide - Page 64
    of users will be protected by the security gateway? Will all users have the same access and privileges? ■ What types of services do you want to make available to internal users? ■ What standard application services do you want to make available to external users? ■ What types of special application
  • Symantec 360R | Administration Guide - Page 65
    other computer groups. Review your security policy to Windows-based computer, at a DOS prompt, type ipconfig /all and look for the physical address. On models 360 and 360R , you can restrict the computer to using only one of the WAN ports. This is useful if you have two broadband accounts
  • Symantec 360R | Administration Guide - Page 66
    this host. You must have a multi-session PPPoE account with your ISP if you want to bind a host to a PPPoE session. If you do host has been configured, you can check the Host List displayed at the bottom of the window. The fields in the list map to the fields entered when you configured the host.
  • Symantec 360R | Administration Guide - Page 67
    Network traffic control 67 Understanding computers and computer groups Defining computer groups Computer groups are logical groups of network entities used for outbound rules. You must configure and bind all local hosts (nodes) to the computer group they are in by using the Computers tab. See "
  • Symantec 360R | Administration Guide - Page 68
    part of an enabled rule, the connection request is denied and logged. The appliance supports a maximum of 25 inbound rules. When creating inbound rules, you must specify the applications server, the service, protocols, and ports that the rule allows, and source and destination information for each
  • Symantec 360R | Administration Guide - Page 69
    to the computer group, all other traffic is denied unless there is a specific rule to let it pass. The following list is the predefined outbound services: ■ DNS ■ FTP ■ HTTP ■ HTTPS ■ Mail (SMTP) ■ Mail (POP3) ■ RADIUS Auth ■ Telnet ■ VPN IPSec
  • Symantec 360R | Administration Guide - Page 70
    that does not use its default port, you can create your own custom services. You must create the custom services before creating the outbound rule. See "Configuring services" on page 72. An outbound rule enabled for FTP service for computer group 2 allows the members of computer group 2 outbound FTP
  • Symantec 360R | Administration Guide - Page 71
    Computer group: Everyone Service: Mail(SMTP) Outbound rule Name: FTP_2 Computer group: Group 2 Service: FTP Everyone computer you no longer need it. You can also temporarily disable outbound access for troubleshooting or controlling traffic. See "Outbound Rules tab field descriptions" on page 181
  • Symantec 360R | Administration Guide - Page 72
    The type of traffic is selected from the list of predefined services and custom services. Note: On models 360 and 360R, FTP application servers must be bound to a WAN port, WAN 1 or WAN 2. All other applications, such as HTTP, do not require binding to a WAN port. See "Binding to other protocols" on
  • Symantec 360R | Administration Guide - Page 73
    Web server listening for TCP on port 8080, you would create a new service application called WEB_8080. Select TCP as the protocol, and type 80 for enable an inbound rule for the Web application server that uses WEB_8080 as a service. Note: Redirection port range sizes must be the same as the Listen
  • Symantec 360R | Administration Guide - Page 74
    address defined in its settings, because firewalls using NAT can only open a defined service for a single computer on the LAN (when using a single external IP). The Special Applications tab works around this limitation by letting you set port triggers. The appliance listens for outgoing traffic on
  • Symantec 360R | Administration Guide - Page 75
    gives the illusion of allowing multiple computers having the same ports opened. Special Applications entries work best with applications that require low throughput. You may experience reduced performance with multiple computers activating streaming media or a heavy incoming or outgoing volume. The
  • Symantec 360R | Administration Guide - Page 76
    Click Delete. Configuring advanced options The Symantec Gateway Security 300 Series has several name and company name information being returned. However, this service poses a security risk since attackers can use this if there are problems accessing a server (server time-outs). Note: If you
  • Symantec 360R | Administration Guide - Page 77
    . If the VPN client used in Exposed Host (DMZ) has problems connecting from behind the security gateway, use the None setting. The following list includes the supported IPsec types: ■ 1 SPI ADI - Assured Digital ■ 2 SPI Standard (Symantec, Cisco Pix, and Nortel Contivity) clients ■ 2 SPI-C Cisco
  • Symantec 360R | Administration Guide - Page 78
    78 Network traffic control Configuring advanced options ■ Other Redcreek Ravlin ■ None Note: Only change the IPsec pass-thru setting if required to do so by Symantec Technical Support. To configure IPsec pass-thru settings See "Advanced tab field descriptions" on page 186. 1 In the SGMI, in the left
  • Symantec 360R | Administration Guide - Page 79
    Network traffic control 79 Configuring advanced options Managing ICMP requests By default, the security gateway does not respond to external ICMP requests sent to the WAN ports. You can also configure the security gateway to block or allow ICMP requests on the WAN. LAN ICMP requests always respond.
  • Symantec 360R | Administration Guide - Page 80
    80 Network traffic control Configuring advanced options
  • Symantec 360R | Administration Guide - Page 81
    Security 300 Series appliances support three types of VPN tunnels: Gateway-to-Gateway, Client-to-Gateway, and wireless Client-toGateway. To configure wireless Client-to-Gateway tunnels, see the Symantec Gateway Security 300 Series Wireless Implementation Guide. Securing your network connections
  • Symantec 360R | Administration Guide - Page 82
    for configuration instructions. If you do not have significant network or IT experience or have never configured a security gateway (Symantec or otherwise referred to as quick mode renegotiation. Note: Symantec Gateway Security 300 Series does not support VPN tunnel compression. To create a Gateway-
  • Symantec 360R | Administration Guide - Page 83
    list on the appliance; however this information may be useful to give to the remote gateway administrator.Table 6-1 lists the order of the Symantec Gateway Security 300 IKE proposals. Table 6-1 IKE proposal order Data Privacy Data Integrity Diffie-Hellman 3DES 3DES 3DES 3DES DES DES SHA1 MD5
  • Symantec 360R | Administration Guide - Page 84
    : You cannot delete pre-defined VPN policies. Creating custom Phase 2 VPN policies VPN Policies are pre-configured for typical VPN setups. If you require customized settings (for compatibility with 3rd party equipment, for example) then you can create a custom Phase 2 Policy on the VPN Policies tab
  • Symantec 360R | Administration Guide - Page 85
    VPN tunnel is temporarily interrupted when rekeys occur. 7 In the Data Volume Limit text box, type the number of kilobytes of traffic to allow before a Secrecy, click Enable. 10 Click Add. Viewing VPN Policies List The VPN Policies List section of the VPN Policies window displays a summary of
  • Symantec 360R | Administration Guide - Page 86
    RADIUS authentication server. You must configure the appliance to support remote administration of users with extended authentication. Dynamic users extended authentication and prompts him for whatever information the RADIUS server requires (such as a user name or password).The RADIUS server
  • Symantec 360R | Administration Guide - Page 87
    gateway uses for authentication should the primary server become unavailable. Authentication Port (UDP) Type the port on the RADIUS server on which the RADIUS service runs. Shared Secret or Key Type the RADIUS server key. 4 Click Save. 5 On the Client Tunnels tab, in the VPN Group drop-down list
  • Symantec 360R | Administration Guide - Page 88
    Save. Viewing the User List The User List section in the Client Users window displays a summary of each static user that is configured on the appliance. outside group, such as another office of the company. Instead of requiring each user on the second network to establish their own, private secure
  • Symantec 360R | Administration Guide - Page 89
    to one of the following appliances: ■ Symantec Gateway Security 5400 Series ■ Symantec Firewall/VPN Appliance Symantec Gateway Security 300 Series security gateways support creating a VPN tunnel to up to five remote subnets behind Symantec Enterprise Firewall or Symantec Gateway Security 5400 Series
  • Symantec 360R | Administration Guide - Page 90
    on the appliance's LAN or WLAN ports. Supported Gateway-to-Gateway VPN tunnels The Symantec Gateway Security 300 Series appliance lets you configure Settings (Phase 1 Rekey). Static Gateway-to-Gateway configurations require you to manually enter tunnel parameters at each security gateway. Both ends
  • Symantec 360R | Administration Guide - Page 91
    problems if the remote security gateway tries to rekey first. Creating VPN tunnels to Symantec Gateway Security 5400 Series clusters To create a VPN tunnel to a Symantec Tunnels between Symantec Gateway 300 Series and Symantec Gateway Security 5400 Series appliances are supported in highavailability
  • Symantec 360R | Administration Guide - Page 92
    to ensure the continued integrity of the key. Configuration tasks for dynamic Gateway-to-Gateway tunnels Table 6-4 summarizes the tasks that are required to configure dynamic Gateway-to-Gateway VPN tunnels. Note: Complete each step in Table 6-4 twice: first for the local security gateway and
  • Symantec 360R | Administration Guide - Page 93
    PPPoE ISP account, skip this step. 7 For model 360 or 360R, on the Local Endpoint drop-down list, select an endpoint for the tunnel. 8 On the ID Type drop-down list, select a Phase 1 ID type. 9 In the Phase 1 ID text box, type the Phase 1 ID. 10 (SPI) is manually typed and included
  • Symantec 360R | Administration Guide - Page 94
    (0x + 16 hex digits) 42 (0x + 20 hex digits) Configuration tasks for static Gateway-to-Gateway tunnels Table 6-7 describes the tasks that are required to configure a static Gateway-toGateway VPN tunnel. Note: Complete each step in Table 6-7 twice: first for the local security gateway and then for
  • Symantec 360R | Administration Guide - Page 95
    . 4 If you have a multi-session PPPoE ISP account, under Local Security Gateway, in the PPPoE Session drop have a multi-session PPPoE ISP account, skip this step. 5 For model 360 and 360R, on the Local Endpoint drop length must match the chosen VPN policy. 10 In the Authentication Key text box, type
  • Symantec 360R | Administration Guide - Page 96
    policy authentication method (Optional) Local phase 1 ID Value Configuring Client-to-Gateway VPN tunnels Client-to-Gateway VPN tunnels let remote users running the Symantec Client VPN software (or any IPsec-compliant VPN client software) to safely connect over the Internet to a network secured by
  • Symantec 360R | Administration Guide - Page 97
    Symantec Gateway Security 300 Series supports Client-to-Gateway VPN tunnel configurations. A Client-to-Gateway configuration is created when a workstation, running Symantec to secure their connections. See Symantec Gateway Security 300 Series Wireless Implementation Guide. Once a VPN tunnel is
  • Symantec 360R | Administration Guide - Page 98
    the client can access is the one defined on the LAN IP screen. See "Configuring LAN IP settings" on page 57. Symantec Client-to-Gateway VPN tunnels require a client ID and a shared key. You can also apply extended authentication using a RADIUS server to Client-toGateway VPN tunnels for additional
  • Symantec 360R | Administration Guide - Page 99
    the tunnel, if the first tunnel fails (because the name cannot be resolved, for example) the IP address can be used to connect. See Symantec Client VPN User's Guide. To define client tunnels See "Client Tunnels tab field descriptions" on page 197. 1 In the SGMI, in the left pane, click VPN. 2 In
  • Symantec 360R | Administration Guide - Page 100
    WINS server. This is an optional step.Windows Internet Naming Service (WINS) is a system that determines , check Enable Extended User Authentication. 10 (Optional) In the RADIUS Group Binding Policy Enforcement. ■ To log a warning to the Symantec Gateway Security log that a user is connecting that is
  • Symantec 360R | Administration Guide - Page 101
    the gateway information to your clients so that they may connect to it. Use Table 6-10 to record information to give your clients so that they may connect to the security gateway. Table 6-10 Information to give clients Information Value Gateway IP address or fully qualified domain name Pre
  • Symantec 360R | Administration Guide - Page 102
    10 Information to give clients Information Value RADIUS user name (Optional) RADIUS shared secret (user with extended authentication) (Optional) Phase 1 ID (Optional) Monitoring VPN tunnel status The VPN Status window , and by monitoring the Status window. See "Status tab field descriptions
  • Symantec 360R | Administration Guide - Page 103
    filtering Advanced network traffic control features of the Symantec Gateway Security 300 Series appliance include antivirus policy enforcement the virus definitions defined by the policy master. The appliance also supports basic content filtering for outbound traffic. You use content filtering to
  • Symantec 360R | Administration Guide - Page 104
    monitors the AV configuration of supported Symantec connected policy masters and client configuration and compares it against the current antivirus policy requirements. If the client is not in compliance, specified intervals (the default setting is every 10 minutes). Once a client is connected,
  • Symantec 360R | Administration Guide - Page 105
    client connections only. Note: You must place UNIX/Linux clients or clients with a non-supported AV client in a computer group without AVpe. Before you begin configuring AVpe Before configuring the Symantec Gateway Security 300 Series appliance, make sure you do the following: ■ Include your AVpe
  • Symantec 360R | Administration Guide - Page 106
    active Symantec antivirus client, and have a connection to the Internet where it can download virus to communicate with the client (as is required to validate client virus definitions). In this client and verifying that it has a supported Symantec antivirus client installed and that the virus
  • Symantec 360R | Administration Guide - Page 107
    to query the antivirus server for updated virus definitions. 5 To force a manual update, click Query Master. 6 Under Policy Validation, next to Verify AV check a client's antivirus configuration to ensure it uses a supported Symantec antivirus product with the latest product scan engine. ■ Any
  • Symantec 360R | Administration Guide - Page 108
    108 Advanced network traffic control Configuring AVpe To enable AVpe After you have configured AVpe, you must enable it for each computer or VPN group. Note: Enabling AVpe for VPN groups is for WAN clients only. You enable AVpe for LAN VPN clients through Computer groups in the Firewall section. See
  • Symantec 360R | Administration Guide - Page 109
    by this procedure are also removed. Warning: Do not use this procedure for clients managed by a Symantec AntiVirus server. To configure the AV clients 1 Install or configure each client's supported Symantec antivirus product in unmanaged mode. 2 Insert the Symantec Gateway Security 300 Series CD
  • Symantec 360R | Administration Guide - Page 110
    has been configured as part of an computer group with AVpe enabled, with connections blocked. 2 Open a Web browser and attempt to connect to www.symantec.com. The connection attempt should fail and all communication through the firewall should be blocked. 3 From the left pane of the Security Gateway
  • Symantec 360R | Administration Guide - Page 111
    client is a member of group with AVpe enabled, with connections blocked. Retry steps 1 through 4 above. About content filtering Symantec Gateway Security 300 Series supports basic content filtering for outbound traffic. You use content filtering to restrict the content to which clients have access
  • Symantec 360R | Administration Guide - Page 112
    in the allow or deny list for specific sites. For example, to allow traffic to any Symantec site, add symantec.com to the allow list. This allows traffic to liveupdate.symantec.com, www.symantec.com, fileshare.symantec.com, and so on. Content filtering applies to all outbound traffic, not just HTTP
  • Symantec 360R | Administration Guide - Page 113
    .com/pictures/me.html. 4 Click Add. Repeat the previous two steps until you have all your URLs added to the list. 5 Click Save List. To remove a URL from an allow or deny list 1 In the left pane, click Content Filtering. 2 From the Delete URL drop-down list, select the URL that
  • Symantec 360R | Administration Guide - Page 114
    114 Advanced network traffic control Monitoring content filtering Monitoring content filtering Content filtering logs a message in the log files if packets are dropped due to a user attempting to access a URL on the deny list, or attempting to access a URL that is not specifically permitted on the
  • Symantec 360R | Administration Guide - Page 115
    protection settings The Symantec Gateway Security 300 series appliance provides intrusion detection and prevention services (IDS and IPS blocks any connection attempt to an unauthorized service for inbound connections. However, when the Trojan horse lookup service is disabled, and only an access
  • Symantec 360R | Administration Guide - Page 116
    116 Preventing attacks Setting protection preferences one attack in five seconds. When ICMP is enabled, the log messages are not limited. The appliance defends against the following atomic IDS/IPS signatures: ■ Bonk ■ Back Orifice (Trojan horse communication channel) ■ Girlfriend (Trojan horse
  • Symantec 360R | Administration Guide - Page 117
    Preventing attacks 117 Enabling advanced protection settings ■ Block/Don't Warn Drop the packet; but do not log. You can configure the following options for enabling and disabling IDS/IPS signature detection and logging: ■ Select All to enable or disable detection of ALL signatures. ■ Enable/disable
  • Symantec 360R | Administration Guide - Page 118
    tools, such as NMAP, use invalid TCP flag combinations to detect a firewall on a network or map the security policy implemented on the firewall. Symantec Gateway Security 300 Series blocks and logs any traffic with illegal flag combinations for traffic that is not being denied by the security policy
  • Symantec 360R | Administration Guide - Page 119
    ■ Backing up and restoring configurations ■ Interpreting LEDs through the SGMI, or forward them to external services. Log messages are maintained until the appliance is restarted. most current messages are available to view. On models 360 and 360R, the most current 100 log events are maintained,
  • Symantec 360R | Administration Guide - Page 120
    120 Logging, monitoring and updates Managing logging Configuring log preferences Logging preferences let you set the way that you view log messages, the amount of logging that is performed, and how to handle when the log becomes full. The following settings help you create logging scenarios that are
  • Symantec 360R | Administration Guide - Page 121
    the log file. 3 Click Save. Configuring and verifying SNMP The appliance supports Simple Network Management Protocol (SNMP) version 1.0 and generates network event alert the SNMP server for status information from the Symantec Gateway Security 300 Series appliance. The appliance supports all
  • Symantec 360R | Administration Guide - Page 122
    Monitoring. To configure SNMP There are two parts to configuring SNMP: ■ Configuring SNMP ■ Verifying communication between the SNMP server and the Symantec Gateway Security 300 Series appliance. Before you begin configuring SNMP, collect the following information: ■ For TRAPs, you must have SNMP
  • Symantec 360R | Administration Guide - Page 123
    the types of information you choose. This is useful for isolating a problem or attack. If you select Debug information, performance may be affected by the number of messages that are created. You should select this option only for troubleshooting purposes, and then disable it when you are done. To
  • Symantec 360R | Administration Guide - Page 124
    360 and 360R have a WAN 2 section for the second WAN port status. The information on the View Log tab is current when you click it. Conditions may change while you are viewing the screen. Refresh updates the View Log tab to display the most current messages. You can manually instructions Symantec
  • Symantec 360R | Administration Guide - Page 125
    firmware from Symantec Technical Support and applying it using the symcftpw tool. By default, LiveUpdate checks for updates at the end of the Setup Wizard. You may disable this feature. See the Symantec Gateway Security 300 Series Installation Guide. Warning: Performing a manual firmware upgrade
  • Symantec 360R | Administration Guide - Page 126
    appliance from manual updates to automatic, LiveUpdate checks for updates at the next time you specify in the UTC text box. If LiveUpdate downloads and in the following situations: ■ The appliance is located behind a Symantec Gateway Security appliance using an HTTP proxy server. ■ The appliance
  • Symantec 360R | Administration Guide - Page 127
    name. 6 In the Password text box, type the proxy password. 7 Click Save. Changing the LiveUpdate server location By default, the LiveUpdate settings point to liveupdate.symantec.com.You can also configure the appliance to use your own LiveUpdate staging server instead of the
  • Symantec 360R | Administration Guide - Page 128
    and updates Updating firmware and instructions for installation are available on the Symantec Technical Support Web page http://www.symantec.com/techsupp/. Figure 9-1 shows several possible LiveUpdate configurations. Figure 9-1 LiveUpdate configurations Symantec Gateway Security 5400 Series VPN
  • Symantec 360R | Administration Guide - Page 129
    's Web site. If you do not configure LiveUpdate to automatically download and apply firmware upgrades, or if you are instructed to manually perform an upgrade by Symantec Technical Support, you should check the Symantec Web for the latest version of the firmware. Your current firmware version
  • Symantec 360R | Administration Guide - Page 130
    . You may also use the TFTP command to put firmware on the appliance. ■ Firmware file Download the latest firmware file from Symantec's Web site. Note: If the computer on which you run symcftpw has Norton Internet Security installed, you must configure both an inbound rule and an outbound rule in
  • Symantec 360R | Administration Guide - Page 131
    feature is available in the Symantec Gateway Security 300 Series Installation Guide. Figure 9-3 Model 360 and 360R rear panel To flash the position (down). Running LiveUpdate Now Run LiveUpdate Now is the manual LiveUpdate feature. Run LiveUpdate Now immediately checks for the latest firmware
  • Symantec 360R | Administration Guide - Page 132
    manually flashing the firmware does not work, you can force the firmware on to the appliance. Do this only if flashing firmware as instructed in "Flashing the firmware" on page 130 does not work, or if you are instructed to do so by Symantec Technical Support firmware upgrade file. 10 Click Put. Wait
  • Symantec 360R | Administration Guide - Page 133
    service is available) of the last LiveUpdate check. This check may or may not have resulted in a new firmware version being downloaded if you plan to contact Symantec Technical Support. See "LiveUpdate tab field the Firmware Version. Backing up and restoring configurations You can back up your
  • Symantec 360R | Administration Guide - Page 134
    version of the firmware to restore your settings unless instructed to do so by Symantec Technical Support. The backup file is to the off (down) position. 10 Copy the backup file from your hard drive to a floppy disk and store in a secure location. To restore an appliance configuration 1 To turn
  • Symantec 360R | Administration Guide - Page 135
    and updates 135 Backing up and restoring configurations The default IP address of firmware upgrade that you downloaded from the Symantec Web site and applied to the appliance. Note: LiveUpdate does not download and apply all.bin firmware the Symantec Gateway Security 300 Series Installation Guide.
  • Symantec 360R | Administration Guide - Page 136
    . This graphic is for reference; the full description ofeach feature is available in the Symantec Gateway Security 300 Series Installation Guide. Figure 9-5 Model 360 and 360R rear panel To perform a basic reset ◆ On the rear panel of the appliance, quickly press the reset button (1). To perform
  • Symantec 360R | Administration Guide - Page 137
    . This graphic is for reference; the full description ofeach feature is available in the Symantec Gateway Security 300 Series Installation Guide. Figure 9-7 Model 360 and 360R rear panel Table 9-2 describes each LED. Table 9-2 LEDs Location Symbol Feature 1 Power Description Illuminates
  • Symantec 360R | Administration Guide - Page 138
    Solid off Solid off Flashing Solid on Flashing Flashing Flashing Solid on Normal operation. Transmitting/receiving Data from LAN. ■ MAC address not assigned. ■ Firmware problem. Appliance is ready for a forced download. ■ Appliance detected an error and cannot recover. Configuration mode.
  • Symantec 360R | Administration Guide - Page 139
    Both flashing alternatively Hardware problem. RAM error. Timer error. DMA error. LAN error. WAN error. Serial error. No power. ■ Download in progress. ■ it using the symcftpw or TFTP tools. Firmware downloaded and verified. This takes approximately 10 seconds. Applying the firmware. The amount of
  • Symantec 360R | Administration Guide - Page 140
    140 Logging, monitoring and updates Interpreting LEDs
  • Symantec 360R | Administration Guide - Page 141
    useful for Symantec Technical Support or for troubleshooting. The use debug mode temporarily for troubleshooting purposes, and disable it immediately this feature when you are done troubleshooting. The security gateway also provides resolution. Note: The PING troubleshooting tool should only be used
  • Symantec 360R | Administration Guide - Page 142
    142 Troubleshooting About troubleshooting To troubleshoot Symantec Gateway Security 300 Series appliances ■ See "Logging/Monitoring field descriptions" on page 151. ■ See "Troubleshooting tab field descriptions" on page 156 a host by its IP address you either have an ISP link problem or a routing
  • Symantec 360R | Administration Guide - Page 143
    others, the most likely problem is not your configuration. In this case Symantec Technical Support. Accessing troubleshooting information Use the following procedure to access troubleshooting information from the Symantec Knowledge Base. To access troubleshooting information 1 Go to www.symantec
  • Symantec 360R | Administration Guide - Page 144
    144 Troubleshooting Accessing troubleshooting information ■ On the Browse tab, expand a heading to see knowledge base articles related to that topic.
  • Symantec 360R | Administration Guide - Page 145
    Symantec Client VPN software may licensed for an appliance. The Symantec Client VPN software version must be listed as supported in the Symantec for 10 concurrent VPN sessions. You must obtain additional licenses as necessary to allow the maximum number of concurrent sessions you require.You are
  • Symantec 360R | Administration Guide - Page 146
    part of the Appliance. B make copies of the printed documentation which accompanies the Appliance as necessary to support Your authorized use of the Appliance; and C after written notice to Symantec and in connection with a transfer of the Appliance, transfer the Software on a permanent basis to
  • Symantec 360R | Administration Guide - Page 147
    or replace any defective Software returned to Symantec within the warranty period or refund the money You paid for the Appliance. Symantec warrants that the hardware component of the Appliance (the "Hardware") shall be free from defects in material and workmanship under normal use and service and
  • Symantec 360R | Administration Guide - Page 148
    Symantec. Symantec does not warrant that the Appliance will meet Your requirements or that operation of the Appliance will be uninterrupted or that the Appliance will be error-free. In order to exercise any of the warranty rights contained in this Agreement, You must have available an original sales
  • Symantec 360R | Administration Guide - Page 149
    . The disclaimers of warranties and damages and limitations on liability shall survive termination. Should You have any questions concerning this Agreement, or if You desire to contact Symantec for any reason, please write: (i) Symantec Customer Service, 555 International Way, Springfield, OR 97477
  • Symantec 360R | Administration Guide - Page 150
    150 Licensing SYMANTEC GATEWAY SECURITY APPLIANCE LICENSE AND WARRANTY AGREEMENT
  • Symantec 360R | Administration Guide - Page 151
    Logging/Monitoring field descriptions The Symantec Gateway Security 300 Series provides configurable system logging features and tabs for viewing the system logs and monitoring system status. It also has built-in testing tools for troubleshooting and connectivity verification. This section
  • Symantec 360R | Administration Guide - Page 152
    and settings of the security gateway. Table C-1 Status tab field descriptions Section Field Description Model 320: WAN (External Port) Model 360/360R: WAN 1 (External Port) WAN 2 (External Port) Connection Status Displays whether the WAN port is connected or disconnected to the Internet
  • Symantec 360R | Administration Guide - Page 153
    a DHCP server for connected clients. Firmware Version Displays the factory firmware version or the firmware version from the most recent LiveUpdate or manual update. Language Version Displays the factory version or the most recent update. Model Displays the model number of the security gateway
  • Symantec 360R | Administration Guide - Page 154
    of the logged event. Displays the origin of the packet. Displays the intended destination of the packet. Displays the protocol name or number or additional troubleshooting information.
  • Symantec 360R | Administration Guide - Page 155
    email address. The maximum number of characters is 39. Include multiple receivers by separating each address with a comma. To email logs, this is a required field. Email Log Now After you have typed the SMTP server, and the sender and receiver email addresses, you can click Email Log Now to
  • Symantec 360R | Administration Guide - Page 156
    . Only use this option when you are troubleshooting a problem, and then disable it after you have solved the problem. NTP Server IP address of the non-public NTP Server. Troubleshooting tab field descriptions The Troubleshooting tab helps you troubleshoot your security gateway with debug options
  • Symantec 360R | Administration Guide - Page 157
    . The address is not validated, so ensure that you type the address accurately. Tool (Model 320) Troubleshooting tools. Options include: ■ PING ■ DNS Lookup Click Run Tool. Tool (Model 360/ 360R) Troubleshooting tools. Options include: ■ PING ■ DNS Lookup Click Run thru WAN 1 or Run thru WAN
  • Symantec 360R | Administration Guide - Page 158
    Password used to access the SGMI. The user name is always admin. The login is case-sensitive. Retype the admin's password. First IP address in the IP Address 3 Enable Remote Monitoring Description A community string may be required by your SNMP server. IP address of SNMP TRAP receivers. TRAPs are
  • Symantec 360R | Administration Guide - Page 159
    IP address or fully qualified domain name of the LiveUpdate server from which to get firmware updates. The default address is http://liveupdate.symantec.com. Enables the LiveUpdate scheduler. This lets you schedule times for the security gateway to automatically check for firmware updates, and then
  • Symantec 360R | Administration Guide - Page 160
    160 Field descriptions LAN field descriptions Table C-7 LiveUpdate tab field descriptions (Continued) Section Field Description Optional Settings Status HTTP Proxy Server Enables the security gateway to contact the LiveUpdate server through a HTTP proxy server. Proxy Server Address IP
  • Symantec 360R | Administration Guide - Page 161
    Field descriptions 161 LAN field descriptions LAN IP & DHCP tab field descriptions The LAN IP & DHCP tab lets you set the security gateway's IP address and configure the security gateway to act as a DHCP server. Table C-8 LAN IP & DHCP tab field descriptions Section LAN IP DHCP DHCP Table
  • Symantec 360R | Administration Guide - Page 162
    360/360R) Assigns ports on the switch function of the security gateway as trusted or untrusted. This enables wireless and wired LAN-based VPN security through the port-based virtual network capabilities of the switch function on the security gateway, in addition to support Requires Symantec
  • Symantec 360R | Administration Guide - Page 163
    Field descriptions 163 WAN/ISP field descriptions ■ Main Setup tab field descriptions ■ Static IP & DNS tab field descriptions ■ PPPoE tab field descriptions ■ Dial-up Backup & Analog/ISDN tab field descriptions ■ PPTP tab field descriptions ■ Dynamic DNS tab field descriptions ■ Routing tab field
  • Symantec 360R | Administration Guide - Page 164
    the security gateway's identification settings. Table C-10 Main Setup tab field descriptions Section Fields Description Model 320: Connection Type Model 360/360R: WAN1 (External) or WAN2 (External) Connection Type The following connection types are supported: ■ DHCP (Auto IP) Your ISP
  • Symantec 360R | Administration Guide - Page 165
    descriptions 165 WAN/ISP field descriptions Table C-10 Main Setup tab field descriptions (Continued) Section Section Field Description Model 320: IP Address WAN IP Model 360/360R: WAN 1 IP, WAN 2 Netmask IP Static IP address for your account. If you type an IP address, you must also type
  • Symantec 360R | Administration Guide - Page 166
    WAN Port (Model Select the WAN port for which you are 360/360R) configuring PPPoE. Model 360: WAN Session Port and Sessions Lets you configure how the WAN port uses PPPoE. To configure a single-session PPPoE account, click Session 1, and then click Select. To configure a multi-session PPPoE
  • Symantec 360R | Administration Guide - Page 167
    Choose Service Query Services Service User Information User Name Manual Control Password Verify Password Connect Disconnect When you click Query Services, the security gateway connects to your ISP and determines which services are available. You must disconnect from your PPPoE account before
  • Symantec 360R | Administration Guide - Page 168
    dynamically assigns you an IP address. Dial-up Telephone Telephone number for the security gateway to 1, Dial-up dial to connect to the dial-up account. You must Telephone 2, Dial- specify at least one, and up to three dial-up up Telephone 3 numbers. If Dial-up Telephone 1 fails to connect
  • Symantec 360R | Administration Guide - Page 169
    Line Type Dial Type Dial String Idle Time-out Redial String Manual Control Dial Hang Up Description Model type of your modem. If to connect to the dial-up account. If the security gateway is having trouble connecting, lower the line speed. Type of line for your account. ■ Dial Up Line This line
  • Symantec 360R | Administration Guide - Page 170
    PPP link status includes: ■ User Authenticated via PPP (User name/ password was correct) ■ Off ■ On PPP IP Address IP address that is assigned to your account when you connect. If you have a static IP address, it is the same each time. If the ISP assigns IP addresses dynamically, the IP address
  • Symantec 360R | Administration Guide - Page 171
    port for which you are configuring PPTP. 360/360R 360/360R) Connection Connect on Demand When enabled, a account. Manual Control Connect Opens a connection to your PPTP account. Disconnect Closes an open connection the PPTP account. Dynamic DNS tab field descriptions Dynamic DNS services
  • Symantec 360R | Administration Guide - Page 172
    (Model WAN port to configure dynamic DNS. 360/360R) Force DNS Update Sends updated IP information to the dynamic DNS service. Do this only if requested by Symantec Technical Support. Key Alphanumeric string of characters that acts as a password for the TZO account. TZO sends the key when the
  • Symantec 360R | Administration Guide - Page 173
    Optional Wildcards Settings Backup MX Mail Exchanger Description User name for the account that you create with a dynamic DNS service. Password for the account that you create with a dynamic DNS service. Retype the dynamic DNS account password. IP address or DNS-resolvable name of the server that
  • Symantec 360R | Administration Guide - Page 174
    department gateways. Select an entry from the list to edit or delete. IP address/subnet for traffic requiring routing. Mask (used with the destination IP address) to set range of IP addresses for traffic requiring routing. IP address of the router to which to send traffic, that meets the IP address
  • Symantec 360R | Administration Guide - Page 175
    , if you type 80%, WAN 1 passes 80% of the traffic and WAN 2 passes 20%. The default percentage is 50%. Bind SMTP with WAN Port (Model 360/360R) Determines the WAN port (and subsequently, which ISP) through which email is sent. This is useful if you have two different ISPs configured, one for
  • Symantec 360R | Administration Guide - Page 176
    Renew (Model 320) Sends a request to the ISP to renew the DHCP lease. Renew WAN1, Sends a request to the ISP to renew the DHCP Renew WAN2 lease for WAN1 or WAN2. (Model 360/360R) WAN Port 1 WAN Port 2 (Model 360/360R Firewall field descriptions The Symantec Gateway Security 300 Series
  • Symantec 360R | Administration Guide - Page 177
    Field descriptions 177 Firewall field descriptions ■ Services tab field descriptions ■ Special Application tab field descriptions ■ Advanced tab field descriptions Computers tab field descriptions Before configuring outbound or inbound rules, you must identify
  • Symantec 360R | Administration Guide - Page 178
    text box. This is required for application servers. Checking this Bind with WAN port (Model 360/ 360R) Binds this computer to a particular useful if you have two broadband accounts configured, one for each WAN Only select a session if your ISP service includes multiple PPPoE sessions. Host Name
  • Symantec 360R | Administration Guide - Page 179
    with non-compliant virus software or virus definitions is denied access to the external network. The client is allowed access to the Symantec Antivirus CE Server or LiveUpdate server to bring their virus definitions into compliance. Content Filtering Enable Content Filtering If you enable content
  • Symantec 360R | Administration Guide - Page 180
    the security gateway. No rules need to be defined for access groups in this category. This is useful for nodes that only require access to the LAN and do not require access to the external network, for example network printers. Use rules defined in Outbound Rules Screen When an access group is
  • Symantec 360R | Administration Guide - Page 181
    Select an outbound rule to update or delete. Rule Name Name of the outbound rule. Enable Rule Check to enable the outbound rule. Service Service which the outbound rule governs. Outbound Rules Enabled? List Displays Y or N. Indicates whether the outbound rule is enabled for use. Name Name
  • Symantec 360R | Administration Guide - Page 182
    and inbound firewall rules on the Services tab. Table C-22 Services tab field descriptions Section Services Application Settings Field Description Application Select an application available for services to edit or delete. Name Name of the service you are creating. Protocol Select the
  • Symantec 360R | Administration Guide - Page 183
    Section Service List Services tab field descriptions (Continued) Field Description Name Name of the service. Protocol Protocol associated with the service. with two-way communication (games, video or teleconferencing) require dynamic ports on the security gateway. Use the Special
  • Symantec 360R | Administration Guide - Page 184
    184 Field descriptions Firewall field descriptions Table C-23 Section Special Application Settings Special Applications tab field descriptions (Continued) Field Description Name Name of the special application. Enable Enables the special application for all computer groups. Outgoing
  • Symantec 360R | Administration Guide - Page 185
    Field descriptions 185 Firewall field descriptions Table C-23 Special Applications tab field descriptions (Continued) Section Field Description Special Application List Name Name of the special application. Enabled Indicates whether the special application is enabled for all computer
  • Symantec 360R | Administration Guide - Page 186
    IDENT Settings Port Disabling the IDENT port makes port 113 closed, not stealth (not open). You should enable this setting only if there are problems accessing a server. The IDENT port normally contains the host name or company name information. By default, the security gateway sets all ports to
  • Symantec 360R | Administration Guide - Page 187
    the VPN gateway on the security gateway. Keep this setting at 2 SPI unless instructed by Symantec Technical Support to change it. The None setting lets VPN clients be used in exposed host mode if it is having problems connecting from behind the security gateway. Options include: ■ 1 SPI ADI (Assured
  • Symantec 360R | Administration Guide - Page 188
    VPNs are used to allow a single user or a remote network access to the protected resources of another network. The Symantec Gateway Security 300 Series security gateways support two types of VPN tunnels: Gateway-to-Gateway and Client-to-Gateway. This section contains the following topics: ■ Dynamic
  • Symantec 360R | Administration Guide - Page 189
    . Client VPN software typically negotiates in aggressive mode. The default value is Main Mode. Policy that dictates authentication, encryption, and timeout settings. The list contains Symantec pre-defined policies and any policies you created on the VPN Policies tab.
  • Symantec 360R | Administration Guide - Page 190
    requires an ISP PPPoE account. If you have a single-session PPPoE account, leave the PPPoE session at Session 1. Local Endpoint Port on the security gateway where you want the (Model 360/360R Network Neighborhood and file sharing on a Microsoft Windows computer. A WINS host is needed to accept the traffic
  • Symantec 360R | Administration Guide - Page 191
    Field descriptions 191 VPN field descriptions Table C-25 Section Dynamic Tunnels field descriptions Field Description Global Tunnel Normally, only requests destined to the network protected by the remote VPN Gateway are forwarded through the VPN. Other traffic, like Web browsing are forwarded
  • Symantec 360R | Administration Guide - Page 192
    192 Field descriptions VPN field descriptions Table C-25 Dynamic Tunnels field descriptions Section Field Description Remote Security Gateway Gateway Address IP address or fully qualified domain name of the remote gateway (the gateway to which the tunnel will connect). The maximum number of
  • Symantec 360R | Administration Guide - Page 193
    Field descriptions 193 VPN field descriptions Static Tunnels tab field descriptions This table describes the fields on the Static Tunnels tab that you use to
  • Symantec 360R | Administration Guide - Page 194
    194 Field descriptions VPN field descriptions configure static gateway-to-gateway VPN tunnels for the security gateway.
  • Symantec 360R | Administration Guide - Page 195
    Enable VPN Tunnel PPPoE Session Local Endpoint (Model 360) Incoming SPI Outgoing SPI VPN Policy Select a . This requires an ISP PPPoE account. The default PPPoE session is Session 1. If you have a single-session PPPoE account, leave Symantec pre-defined policies and any policies you created on the VPN
  • Symantec 360R | Administration Guide - Page 196
    field is 128 alphanumeric characters. NetBIOS Broadcast Allows browsing of the VPN network in the Network Neighborhood and file sharing on a Microsoft Windows computer. A WINS host is needed to accept the traffic. NetBIOS is disabled by default. Global Tunnel Normally, only requests destined to
  • Symantec 360R | Administration Guide - Page 197
    the secondary DNS server that the VPN user uses for name resolution. Primary WINS IP address of the primary WINS server. Windows Internet Naming Service (WINS) is a system that determines the IP address associated with a particular network computer. Secondary WINS IP address of the secondary WINS
  • Symantec 360R | Administration Guide - Page 198
    Content filtering uses the allow list, a list of URLs that clients are permitted to view, blocking all other traffic. Enable Antivirus Policy Enforcement Requires that all users in the selected VPN group have antivirus software with the most current virus definitions. Warn Only If the user does
  • Symantec 360R | Administration Guide - Page 199
    To temporarily suspend a user, uncheck Enable, and then click Update. To permanently remove a user, click Delete. User name for the client user. The maximum number for this value is 31. It must match the remote Client ID in Symantec Client VPN software. You can add up to 50 client users. ISAKMP (
  • Symantec 360R | Administration Guide - Page 200
    Association (Phase 2) Parameters VPN Policy Select a policy to update or delete. Note: You cannot delete Symantec pre-defined policies. Options include: ■ ike_default_crypto ■ ike_default_crypto_strong ■ Static_default_crypto ■ Static_default_crypto_strong ■ Any VPN policies you created Name
  • Symantec 360R | Administration Guide - Page 201
    descriptions (Continued) Field SA Lifetime Data Volume Limit Inactivity Timeout Perfect Forward Secrecy Description Time, in 483,647 minutes. Maximum number of kilobytes allowed through a tunnel before a rekey is required. The default value is 2100000 KB (2050 MB). The maximum value is 4200000 KB
  • Symantec 360R | Administration Guide - Page 202
    202 Field descriptions VPN field descriptions Status tab field descriptions The Status tab shows the status of your VPN tunnels and client users. Table C-30 Status tab field descriptions Section Dynamic VPN Tunnels Static VPN Tunnels Field Description Status Status of the selected tunnel.
  • Symantec 360R | Administration Guide - Page 203
    value is 31 alphanumeric characters. VPN Policy VPN policy for VPN client tunnels for phase 2 tunnel negotiation. The list shows pre-defined Symantec policies and any policies you created on the VPN Policies tab. Dynamic VPN Client Settings Enable Dynamic VPN Client Tunnels Lets undefined VPN
  • Symantec 360R | Administration Guide - Page 204
    Secret or Key Authentication key used by the RADIUS server. The maximum value is 50 alphanumeric characters. IDS/IPS field descriptions The Symantec Gateway Security 300 series security gateway provides intrusion detection and prevention (IDS/IPS). The IDS/IPS functions are enabled by default, and
  • Symantec 360R | Administration Guide - Page 205
    Field descriptions 205 IDS/IPS field descriptions ■ Port scan detection This section contains the following topics: ■ IDS Protection tab field descriptions ■ Advanced tab field descriptions IDS Protection tab field descriptions Configure basic IDS protection on the IDS Protection tab. Table C-32
  • Symantec 360R | Administration Guide - Page 206
    206 Field descriptions IDS/IPS field descriptions Advanced tab field descriptions Configure spoof protection on the Advanced tab. Table C-33 Advanced tab field descriptions Section Field Description IP Spoof Protection WAN Enables spoof protection on the LAN. WLAN/LAN Enables spoof
  • Symantec 360R | Administration Guide - Page 207
    the security gateway to query the antivirus server. For example, if you type 10 minutes, the security gateway queries the antivirus server every 10 minutes to obtain the latest virus definition list. The default setting is 10 minutes. You must enter a value greater than 0. Query Master This button
  • Symantec 360R | Administration Guide - Page 208
    is When enabled, this field lets you verify that Active Symantec antivirus software is installed and active on a client's workstation. definitions. For example, if you type 10 minutes, the security gateway queries the client workstations every 10 minutes to verify that their workstations have
  • Symantec 360R | Administration Guide - Page 209
    example: 5/14/2003. Displays the IP address (or qualified domain name) of the primary or secondary antivirus server. Displays the current product version of the Symantec AntiVirus Corporate Edition that the antivirus server is running; for example: 7.61.928. Displays the current version of the
  • Symantec 360R | Administration Guide - Page 210
    the client is using. Version of the scan engine in the Symantec antivirus product the client is using. Version of the client's most recent virus definitions. Content filtering field descriptions The security gateway supports basic content filtering for outbound traffic. You use content filtering
  • Symantec 360R | Administration Guide - Page 211
    List Content filtering configuration fields Field Description Input URL Delete URL URL Type a URL to add to the deny or allow list. For example, www.symantec.com or myadultsite.com/mypics/me.html The maximum length of a URL is 128 characters. Each filtering list can hold up to 100 entries. You
  • Symantec 360R | Administration Guide - Page 212
    212 Field descriptions Content filtering field descriptions
  • Symantec 360R | Administration Guide - Page 213
    and restoring configurations 133 backup dial-up account 39, 42 BattleNet 74 Bonk 116 broadband accounts 29 Symantec Gateway 5400 Series clusters 91 compression, tunnel 82 computer group membership 65 computer groups defining 67 computers and computer groups 64 configuration, backing up and restoring
  • Symantec 360R | Administration Guide - Page 214
    policies 84 security policies 82 D default settings, restore port assignment 61 defining computer group membership 65 inbound Renew 176 IP address range 60 usage 60 DHCP server 58 DHCP settings advanced settings 43 dial-up accounts 39 backup 42 back-up account 39 configuring 40 connecting manually
  • Symantec 360R | Administration Guide - Page 215
    administrative access 15 content filtering lists 112 ICMP requests 79 using the serial console 19 manual dial-up accounts 42 manually connect to PPTP account 38 upgrading firmware 129 manually reset password 17 Maximum Transmission Unit (MTU) 45 modem connectivity 40 monitoring antivirus server
  • Symantec 360R | Administration Guide - Page 216
    167 question mark 13 R rear panel 320 appliance 39 360 and 360R 39 redirecting services 73 remote gateway administrator, sharing information 96 remote management 17 resetting the appliance 135 restore port assignment default settings 61 routing 48 routing,dynamic 48 S scroll lock 19 secure VPN
  • Symantec 360R | Administration Guide - Page 217
    updating firmware 124 upgrading firmware Norton Internet Security 130 V verifying policies 84 creating tunnels to Symantec Gateway Security 5400 Series clusters 82 secure connections 81 subnet 90 supported gateway-to-gateway tunnels 90 tunnel renew 43 multiple IP addresses 31 Winnuke 116 Index 217
  • Symantec 360R | Administration Guide - Page 218
    218 Index
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
  • 88
  • 89
  • 90
  • 91
  • 92
  • 93
  • 94
  • 95
  • 96
  • 97
  • 98
  • 99
  • 100
  • 101
  • 102
  • 103
  • 104
  • 105
  • 106
  • 107
  • 108
  • 109
  • 110
  • 111
  • 112
  • 113
  • 114
  • 115
  • 116
  • 117
  • 118
  • 119
  • 120
  • 121
  • 122
  • 123
  • 124
  • 125
  • 126
  • 127
  • 128
  • 129
  • 130
  • 131
  • 132
  • 133
  • 134
  • 135
  • 136
  • 137
  • 138
  • 139
  • 140
  • 141
  • 142
  • 143
  • 144
  • 145
  • 146
  • 147
  • 148
  • 149
  • 150
  • 151
  • 152
  • 153
  • 154
  • 155
  • 156
  • 157
  • 158
  • 159
  • 160
  • 161
  • 162
  • 163
  • 164
  • 165
  • 166
  • 167
  • 168
  • 169
  • 170
  • 171
  • 172
  • 173
  • 174
  • 175
  • 176
  • 177
  • 178
  • 179
  • 180
  • 181
  • 182
  • 183
  • 184
  • 185
  • 186
  • 187
  • 188
  • 189
  • 190
  • 191
  • 192
  • 193
  • 194
  • 195
  • 196
  • 197
  • 198
  • 199
  • 200
  • 201
  • 202
  • 203
  • 204
  • 205
  • 206
  • 207
  • 208
  • 209
  • 210
  • 211
  • 212
  • 213
  • 214
  • 215
  • 216
  • 217
  • 218
Symantec™ Gateway Security
300 Series Administrator’s
Guide
Supported models:
Models 320, 360, and 360R