Home » Symantec Manuals » Computer Software » Symantec 360R » Manual Viewer

Symantec 360R Administration Guide - Page 83

Global IKE Policy Phase 1, non-configurable, except for SA, lifetime parameter, VPN Policies Phase 2

UPC - 037648240185

Add to My Manuals
Save this manual to your list of manuals

Page 83 highlights

Establishing secure VPN connections 83 Creating security policies Global IKE Policy (Phase 1, non-configurable, except for SA lifetime parameter) The security gateway includes a predefined global IKE policy that automatically applies to your IKE Phase 1 negotiations. This global IKE policy works in conjunction with the VPN policy you configure for Phase 2 negotiations. The Global IKE Policy provides the parameters that define Phase 1 negotiations of the IKE tunnel, while the VPN policy you configure and select provides the parameters for Phase 2 negotiations. The only parameter in the Global IKE Policy whose setting can be changed is the SA (security association) Lifetime, which specifies the period of time after which the tunnel rekeys (in minutes). This parameter is located in VPN > Advanced > Global IKE Settings (Phase 1 Rekey). When two security gateways are negotiating Phase 1, the first security gateway sends a list of proposals, called a transform proposal list. The security gateway to which it is connecting then selects a proposal from the list that it likes best, generally the strongest available option. You cannot change the transform proposal list on the appliance; however this information may be useful to give to the remote gateway administrator.Table 6-1 lists the order of the Symantec Gateway Security 300 IKE proposals. Table 6-1 IKE proposal order Data Privacy Data Integrity Diffie-Hellman 3DES 3DES 3DES 3DES DES DES SHA1 MD5 SHA1 MD5 SHA1 MD5 Group 5 Group 5 Group 2 Group 2 Group 1 Group 1 Some settings are configurable at a global level for Client-to-Gateway tunnels. See "Setting global policy settings for Client-to-Gateway VPN tunnels" on page 101. VPN Policies (Phase 2, configurable) The security gateway includes a set of four pre-defined, configurable VPN policies that apply to Phase 2 tunnel negotiations. Rather than configuring data privacy, data integrity, and data compression algorithms for every tunnel you create, the security gateway lets you configure standard, reusable VPN policies

Section	Page
Introducing the Symantec Gateway Security 300 Series	11
Intended audience	12
Where to get more information	12
Administering the security gateway	13
Accessing the Security Gateway Management Interface	13
Using the SGMI	15
Managing administrative access	15
Setting the administration password	16
Configuring remote management	17
Managing the security gateway using the serial console	19
Configuring a connection to the outside network	23
Network examples	24
Understanding the Setup Wizard	27
About dual-WAN port appliances	27
Understanding connection types	28
Configuring connectivity	30
DHCP	30
PPPoE	31
Static IP and DNS	34
PPTP	36
Dial-up accounts	39
Configuring advanced connection settings	43
Advanced DHCP settings	43
Advanced PPP settings	44
Maximum Transmission Unit (MTU)	45
Configuring dynamic DNS	45
Forcing dynamic DNS updates	47
Disabling dynamic DNS	48
Configuring routing	48
Enabling dynamic routing	48
Configuring static route entries	49
Configuring advanced WAN/ISP settings	50
High availability	50
Load balancing	51
SMTP binding	52
Binding to other protocols	52
Failover	52
DNS gateway	53
Optional network settings	54
Configuring internal connections	57
Configuring LAN IP settings	57
Configuring the appliance as DHCP server	58
Monitoring DHCP usage	60
Configuring port assignments	60
Standard port assignment	61
Network traffic control	63
Planning network access	63
Understanding computers and computer groups	64
Defining computer group membership	65
Defining computer groups	67
Defining inbound access	68
Defining outbound access	69
Configuring services	72
Redirecting services	73
Configuring special applications	74
Configuring advanced options	76
Enabling the IDENT port	76
Disabling NAT mode	77
Enabling IPsec pass-thru	77
Configuring an exposed host	78
Managing ICMP requests	79
Establishing secure VPN connections	81
About using this chapter	82
Creating security policies	82
Understanding VPN policies	82
Creating custom Phase 2 VPN policies	84
Viewing VPN Policies List	85
Identifying users	85
Understanding user types	86
Defining users	86
Viewing the User List	88
Configuring Gateway-to-Gateway tunnels	88
Understanding Gateway-to-Gateway tunnels	88
Configuring dynamic Gateway-to-Gateway tunnels	91
Configuring static Gateway-to-Gateway tunnels	93
Sharing information with the remote gateway administrator	96
Configuring Client-to-Gateway VPN tunnels	96
Understanding Client-to-Gateway VPN tunnels	97
Defining client VPN tunnels	99
Setting global policy settings for Client-to-Gateway VPN tunnels	101
Sharing information with your clients	101
Monitoring VPN tunnel status	102
Advanced network traffic control	103
How antivirus policy enforcement (AVpe) works	104
Before you begin configuring AVpe	105
Configuring AVpe	106
Enabling AVpe	107
Configuring the antivirus clients	109
Monitoring antivirus status	109
Log messages	110
Verifying AVpe operation	110
About content filtering	111
Special considerations	111
Managing content filtering lists	112
Special considerations	112
Enabling content filtering for LAN	113
Enabling content filtering for WAN	113
Monitoring content filtering	114
Preventing attacks	115
How intrusion detection and prevention works	115
Trojan horse protection	116
Setting protection preferences	116
Enabling advanced protection settings	117
IP spoofing protection	117
TCP flag validation	118
Logging, monitoring and updates	119
Managing logging	119
Configuring log preferences	120
Managing log messages	124
Updating firmware	124
Automatically updating firmware	125
Upgrading firmware manually	129
Checking firmware update status	133
Backing up and restoring configurations	133
Resetting the appliance	135
Interpreting LEDs	136
LiveUpdate and firmware upgrade LED sequences	139
Troubleshooting	141
About troubleshooting	141
Accessing troubleshooting information	143
Licensing	145
Session licensing for Symantec Gateway Security 300 Series Client-to-Gateway VPN functions	145
Additive session licenses	145
SYMANTEC GATEWAY SECURITY APPLIANCE LICENSE AND WARRANTY AGREEMENT	146
Field descriptions	151
Logging/Monitoring field descriptions	151
Status tab field descriptions	152
View Log tab field descriptions	154
Log Settings tab field descriptions	155
Troubleshooting tab field descriptions	156
Administration field descriptions	157
Basic Management tab field descriptions	158
SNMP tab field descriptions	158
LiveUpdate tab field descriptions	159
LAN field descriptions	160
LAN IP & DHCP tab field descriptions	161
Port Assignment tab field descriptions	162
WAN/ISP field descriptions	162
Main Setup tab field descriptions	164
Static IP & DNS tab field descriptions	165
PPPoE tab field descriptions	166
Dial-up Backup & Analog/ISDN tab field descriptions	167
PPTP tab field descriptions	171
Dynamic DNS tab field descriptions	171
Routing tab field descriptions	174
Advanced tab field descriptions	175
Firewall field descriptions	176
Computers tab field descriptions	177
Computer Groups tab field descriptions	179
Inbound Rules field descriptions	180
Outbound Rules tab field descriptions	181
Services tab field descriptions	182
Special Application tab field descriptions	183
Advanced tab field descriptions	186
VPN field descriptions	187
Dynamic Tunnels tab field descriptions	189
Static Tunnels tab field descriptions	193
Client Tunnels tab field descriptions	197
Client Users tab field descriptions	199
VPN Policies tab field descriptions	200
Status tab field descriptions	202
Advanced tab field descriptions	203
IDS/IPS field descriptions	204
IDS Protection tab field descriptions	205
Advanced tab field descriptions	206
AVpe field descriptions	207

Match case Limit results 1 per page

Establishing secure VPN connections

Creating security policies

Global IKE Policy (Phase 1, non-configurable, except for SA

lifetime parameter)

The security gateway includes a predefined global IKE policy that automatically

applies to your IKE Phase 1 negotiations. This global IKE policy works in

conjunction with the VPN policy you configure for Phase 2 negotiations. The

Global IKE Policy provides the parameters that define Phase 1 negotiations of

the IKE tunnel, while the VPN policy you configure and select provides the

parameters for Phase 2 negotiations.

The only parameter in the Global IKE Policy whose setting can be changed is the

SA (security association) Lifetime, which specifies the period of time after which

the tunnel rekeys (in minutes). This parameter is located in VPN > Advanced >

Global IKE Settings (Phase 1 Rekey).

When two security gateways are negotiating Phase 1, the first security gateway

sends a list of proposals, called a transform proposal list. The security gateway

to which it is connecting then selects a proposal from the list that it likes best,

generally the strongest available option. You cannot change the transform

proposal list on the appliance; however this information may be useful to give to

the remote gateway administrator.

Table 6-1

lists the order of the Symantec

Gateway Security 300 IKE proposals.

Some settings are configurable at a global level for Client-to-Gateway tunnels.

See

“Setting global policy settings for Client-to-Gateway VPN tunnels”

page 101.

VPN Policies (Phase 2, configurable)

The security gateway includes a set of four pre-defined, configurable VPN

policies that apply to Phase 2 tunnel negotiations. Rather than configuring data

privacy, data integrity, and data compression algorithms for every tunnel you

create, the security gateway lets you configure standard, reusable VPN policies

Table 6-1

IKE proposal order

Data Privacy

Data Integrity

Diffie-Hellman

3DES

SHA1

Group 5

3DES

MD5

Group 5

3DES

SHA1

Group 2

3DES

MD5

Group 2

DES

SHA1

Group 1

DES

MD5

Group 1