Stone Gate Firewall

S TO NE G A T E F I R E W A L L 5 .

, ,
, Stonesoft:
www.stonesoft.com/en/support/eula.html

StoneGate
. -
Stonesoft:
www.stonesoft.com/en/support/third_party_licenses.html

, ,
, . (),
" ",
(DOD Supplement to the Federal Acquisition Regulations -DFAR) 252.227-7013(c) (1).
, ,
52.227-19(c) (2)
(Federal Acquisition Regulations - FAR). , ,
.

, ,
N:o 1334/2000 22 2000 .,
( ). ,
Stonesoft .
,
, ,
, Stonesoft:
www.stonesoft.com/en/support/view_support_offering/terms/

- Stonesoft:
www.stonesoft.com/en/support/view_support_offering/return_material_authorization/

.
- Stonesoft:
www.stonesoft.com/en/support/view_support_offering/terms/

,
: 1065844, 1189410, 1231538, 1259028, 1271283, 1289183, 1289202, 1304849, 1313290,
1326393, 1379046, 1330095, 131711, 1317937 1443729 6,650,621; 6 856 621; 6,885,633; 6,912,200;
6,996,573; 7,099,284; 7,127,739; 7,130,266; 7,130,305; 7,146,421; 7,162,737; 7,234,166; 7,260,843; 7,280,540; 7,302,480; 7,386,525;
7,406,534; and 7,461,401 , .
Stonesoft, Stonesoft StoneGate,
Stonesoft Corporation.
.

, "
" Stonesoft , ,
, . IP-
.
2011 Stonesoft Corporation. . .
Revision: SGFIG_20110222
StoneGate 7
. . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . .
. . . . . . . . . . . . .
. . . . . . . . .
. . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . .
. . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . .
8
8
9
9
9
10
10
10
10
10
10
13
StoneGate . . .
. . . . . . . . . . . . . .
. . . . . . . . . . . . .
. . . . . . . . . . .
. . . . . . . . . .
. . . . . . . . . . . . .
IP . .

. . . . . . . . . . . . . . . . . .
. .
14
15
15
16
16
16
16
16
17
. . 19
. . . . . .
. . . . . . . . . . . . . . . . .
. . . . . . . . . .
. . . . . . . . . . . . . . . . . . .
20
20
21
21
NAT . . . . . . . . . . . . . . . . 23
NAT . . . . . . . . . .
. . . . . . . . . . . . . . . . .
Locations. . . . . . . . . . . . . . . . .
SMC
Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
24
25
25
27
31
. . . . . . . . . . . . . . . . . . 32
. 32
. . . . . . . . . . 32
. . 33
. . . . . 34
VLAN- . . . . . . . . . . . . . . . . . . 35
ADSL . . . . . . . . . 36
IP
, VLAN , ADSL
. . . . . . . . . . . . . . . . . . . . . . . . 38
IPv4 . . . 38

VLAN
. . . . . . . . . . . . . . . . . . . . . . . . 40
IPv6 . . . 41
IP 41
. . . . . . . . 44
. 45

. . . . . . . . . . . . . . . . . . . 46
6
49
. . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . .
VLAN- . . . . . . . . . . . . . . . . . .
IP
. . . . . . . . . . . . . . . . . . . . . . . . . . .
IPv4 . . . . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . .
ARP . . . . . .

. . . . . . . . . . . . . . . . . . .
50
50
50
51
52
52
54
55
55
57
59
61
62
3
. . . . 65
. . . . . . . . . . . . . . . . . . 66

. . . . . . . . . . . . . . . . . . . 66

. . . . . . . . . . . . . . . . . . . 69
8

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
. . . . . . . . . . . . . . 72

Single Network Link . . . . . . . . . . . . . . . . . . . 73

Multi-Link. . . . . . . . . . . . . . . . . . . . . . . . . . . 75
. . . . . . . . 79
. . . . . . . . . . . . . . . . . . . . . . . . 81
IP Address Count
Limited Licenses . . . . . . . . . . . . . . . . . . . . . 81
. . . . . . . . . . . . 82
NAT Rule
Example Ping Rule . . . . . . . . . . . . . . . . . . . 85
. . . . . . . . . . . . . . . . . . 86

Online . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88

10
. . . . . . . . . . . . . . . . . . . . . . . . . 107
. . . . . . . . .
. . . . . . . . . . . . . . . . .
. . . . . . . . . .
. . . .

One Proof Code . . . . . . . . . . . . . . . . .

Multiple Proof Codes . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . .
. . . . . . . .
. . . . . . . .
. . . . . .
ZIP . . . . . . . . . . . . .
108
109
109
110
110
111
112
112
113
115
115
116

Intel . . . . . . . . 91
. . . . . . . . . . .
. . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . .
. . . . . . . . . . . . . . .
. . . . . . . . . .
. . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . .

USB flash . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . .
Management
Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Management Server. . . . . . . .
4
Expert
Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
. . . . . . . 102
92
92
92
92
92
93
93
94
94
95
. . . . . . . . . . . . . 121

. . . . . . . 127
Management Center . . . . . . . . . . . . . . 128
/VPN . . . . . . . . . 130

. . . . . . . . . . . . . 135
. . . . . . . . . . . . . . . . . . .
. . . .
Management Center . . . . . . . . . . . . .
. . .
136
137
138
138

. . . . . . . . . . . . . . . . . . 141
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
96
97
99
101

:
StoneGate - 7
STONEGATE
,
StoneGate .
.
:
( 8)
( 8)
( 10)

,
StoneGate VPN (StoneGate Firewall/
VPN).
. ,
.
:
3.1
(, , )

.
,
.
:
,
.
,
.
, ,
.

StoneGate :
. StoneGate
.
StoneGate
Online Help F1,

HelpHelp Topics, Help . ,
, ,
, .
3.1 Online Help

,
.

a a .
P PDF
Management Center http://www.stonesoft.com/
support/.
Table 3.2

(Reference Guide)
StoneGate.

.
StoneGate Management Center, Firewall/VPN,
StoneGate IPS.

(Installation Guide)
,
StoneGate. StoneGate
Management Center, Firewall/VPN, StoneGate IPS
SOHO .
(Online help)
.
"Help" "Help",
F1 . StoneGate Management
Client, StoneGate Web Portal StoneGate SSL VPN Administrator.

(AdministratorsGuide)'
.
StoneGate Firewall/
VPN StoneGate IPS, a
StoneGate SSL VPN StoneGate IPsec VPN Client.

(UsersGuide)'
.
StoneGate IPsec VPN client StoneGate Web Portal.
Table 3.2

(Appliance
Installation Guide)

StoneGate ( ,
..).
StoneGate .

StoneGate
. StoneGate,
.
StoneGate Stonesoft:
http://www.stonesoft.com/support/.

StoneGate
: www.stonesoft.com/en/products_and_solutions/products/.
StoneGate,
(Release Notes),
.

,
StoneGate Stonesoft, : http://www.stonesoft.com/.

License Center Stonesoft: https://my.stonesoft.com/
managelicense.do.
,
order@stonesoft.com.

Stonesoft
StoneGate.
Support Stonesoft http://www.stonesoft.com/support/.

,
. .

feedback@stonesoft.com.
10
StoneGate

documentation@stonesoft.com.

info@stonesoft.com.
11
12
StoneGate
:
- 15
- 21
NAT - 25
13
14
,
, .
:
StoneGate ( 16)
( 17)
( 17)
( 17)
15
StoneGate
StoneGate firewall StoneGate Management Center
StoneGate. StoneGate

, . 16
, .
StoneGate
Management Center (SMC).
StoneGate :
: Multi-Layer

. .
,
(UTM-unified threat management).
:
.
.
Multi-Link: Multi-Link
,
.
Multi-Link ,
VPN .
QoS :

.
: StoneGate ,
,
.
: StoneGate ,
VPN
Multi-Link. StoneGate
ISP VPN-.
StoneGate Management Center
StoneGate IPS: StoneGate Firewall/VPN
StoneGate IPS Management Center
.
SMC, . SMC

StoneGate. SMC .
SMC Reference Guide SMC,
IPS Reference Guide
StoneGate.

. , , StoneGate Management
Center 5.0 .

, StoneGate Administrators Guide.
16

, StoneGate ,
, StoneGate.

.
. ( 149).

Management Center, ,
.

, StoneGate Management Center
5.0 . , 5.0,

( 21).
1. ( , . )
. . ( 21).
2. NAT
, (Contact Addresses). .
NAT ( 25).
3. Management Client. .
( 33),
( 53).
4. . .
( 71).
5. .
StoneGate, .
Appliance Installation Guide,
.
, .
Intel ( 99).
6. . .
( 77).

Firewall/VPN Reference Guide,
StoneGate.
17
StoneGate.
Intel- . Hardware
Requirements : http://
www.stonesoft.com/en/support/.
VMware. ,

(Release Notes). .
/VPN StoneGate VMWare ESX
StoneGate Technical Documentation.
, Linux.
.

, , , ,
Management Center
Management Client. ,
Management Server . ,
UTC Management
Server. StoneGate UTC.
IP
IP ,
, :
IP - Cluster Virtual IP Address (CVI): IP ,
.
IP ,
IP .
IP - Node Dedicated IP Address (NDI): IP ,

. IP
,
Management Server, ..
CVI / NDI .

,
fail-over ,
.

.
. , ,
.
18
, , , .

.
,
- .
, , PortFast
, / /
StoneGate .
Multicast (. Online Help
Administrators Guide ).

.

. Packet Dispatch
,
.
.
Firewall/VPN Reference Guide
.
Packet Dispatch, ,
MAC .
MAC ,
.
CVI (Cluster Virtual IP Address),
CVI (Cluster Virtual IP Addresses).
Cluster Virtual IP Address ,
. , StoneGate
ARP .
, MAC
.
, ,
MAC . ,
Cluster Virtual IP Address
.
19
20

.
:
( 22)
( 23)
( 23)
21

.
5.0 ,
. Generate and Install New Licenses
Automatically SMC, Management Server
Stonesoft License Center .
Management Server Stonesoft License Center ,
5.0
30 . ,
Stonesoft License Center Management Server
Management Client, .
management-bound,
POL (proof-of-license) .
POS (proof-of-serial-number) .
POS,
.
Management Server
.
?
,
.
NAT ,
. NAT ( 25)
NAT ,
.
:
( 33).
( 53).

, .
1. Stonesoft License Center. .
( 23).
2. Management Client. . ( 23).
22

Stonesoft License Center POL (proof-of-license
) POS (proof of serial -
, ).
- .
,
.

1. Stonesoft License Center www.stonesoft.com/license/.
2. proof-of-license proof-of-serial number
Submit. .
3. Register. .
4. POL Management Server , .
,
. , Management Client
.
5. Submit Request.
. .

. .
.

,
Management Client. ,
, .
StoneGate
1. Management Client FileSystem Tools Install Licenses.
2.
, .
23

1. Configuration
Administration. Administration Configuration.
1
2. Licenses.
3. All Licenses.
.
management-bound,
. POS
, .
?
NAT
, . NAT
( 25).
NAT ,
. ,
:
( 33).
( 53).
24
NAT
Locations
, NAT
.
:
NAT ( 26)
Locations ( 27)
SMC Server ( 29)
25
NAT
NAT ,
IP ,
. StoneGate
( 141).
StoneGate Location
NAT. Default Location ,
Location. NAT
, Location,
, .
Properties .
, ,
Location ,
Location.
6.1 Locations
" " Location
"" Location
Log/Management
Server
, ,
Management Log Server .
NAT, , :

IP SMC .
, ,
.
IP
. IP
, VPN
.
NAT ( )
IP . ,
, Management Server
.
26
NAT
Management Server ,
Management Server
.
, Location,
. SMC
Location. ,
VPN ,
Location
.

, :
1. Location. . Locations ( 27).
2. Management Server Log Server. .
SMC Server ( 29).
3. Location ()
, . .
( 33)
( 53).
Locations
Location,
NAT.
, Location, IP
. IP
Properties .
Location
1. Configuration
1
Locations
27
2. Other Elements .
3. Locations
New Location. Location Properties.
5
4. Name.
5. ().
6. Add.
7. 5-6, .
8. OK.
28
NAT
, Locations.
?
Management Server Log Server ,
. SMC Server ( 29).

, :
( 33)
( 53).
SMC Server
Management Server Log Server
Location. , ,
Multi-Link .
1.
Properties. Properties .
2. Location .
3. Contact addressesDefault.
IP ,
.
SMC Server
29
4. Exceptions Location,
(Default Contact Addresses) Locations
.
, Location,
IP . ,
Location, ,
Location.

.
?
, .
( 33).
, .
( 53).
30
NAT

:
- 33
- 53
- 71
- 77
31
32
.
Management Center
StoneGate.
.
Management Client.
,
Management Client.
:
( 34)
( 34)
( 36)
VLAN ( 37)
ADSL ( 38)
IP , VLAN, ADSL
( 41)
( 48)
( 50)
33

StoneGate Management Center (SMC),
. ,

.
, , :
1. . .
( 34).
2. (Physical interfaces) . .
( 36).
3. ( ) ADSL . . ADSL
( 38).
4. ( ) . .
( 48).
5. management-bound
. .
( 50).

Management Center
, ,
.
:
(Control interface), Management
Server /VPN.
, ,
, .

:
.
Management Center,
Interface ID.
.
ADSL ADSL
. StoneGate
ADSL ADSL .
ADSL StoneGate Interface ID ADSL Management
Center.
3G, USB .
Management Center.
IMEI ,
ID, .
34
USB flash
.
USB flash ,
Interface ID Management Center
(eth0 Interface ID 0 ..).
,
Modem Interface 0 .
, Interface IDs
.
Interface ID
.
Interface ID ADSL
.

,
. ,
Online Help Management Client StoneGate Administrators Guide .

(. ( 149)).

1. System Status.
System Status
1
2. Firewalls
NewSingle Firewall. Single Firewall Properties.
3. Name.
35
4. Log Server, .
5. , Location (. NAT
( 25)).

,
. :
Normal .
Aggregated Link in High-Availability Mode
. .
,
.
Aggregated Link in Load-Balancing Mode
.
.

1. Interfaces.
36
2.
NewPhysical Interface. Physical Interface Properties.
3. Interface ID.
.
4. Type Second Interface ID, Type Aggregated
Link.

IEEE 802.3ad. Aggregated Link in LoadBalancing Mode,
. ,
(LACP) LACP
.
Aggregated Link in High-Availability mode,
,
.
5. OK.
.
.
?
VLAN, .
VLAN ( 37).
ADSL Interface, . ADSL
( 38).
, . IP , VLAN,
ADSL ( 41).
VLAN
VLAN .
4094 VLAN- .
VLAN
37
VLAN
1.
NewVLAN Interface. VLAN
Interface Properties.
2. VLAN ID (1-4094).
3. OK.
VLAN ID . ,
VLAN- .
VLAN ID VLAN ID
VLAN .
, VLAN
. VLAN Interface-ID.VLAN-ID, 2.100
Interface ID 2 VLAN ID 100.
?
ADSL Interface, . ADSL
( 38).
, IP ,
VLAN, ADSL ( 41).
ADSL
ADSL . ADSL
StoneGate,
ADSL. ADSL ANSI T1.413 i2, G. Lite, Annex A.
38
ADSL
1. , Interfaces.
2.
NewADSL Interface. ADSL Interface Properties.
3. Interface ID. ADSL

.
4. Select , - (Service
Provider). Select Element.
ADSL
39
5. - Select.
-, Ethernet ATM
( ).
- , ISP
New (. ).
Name Country .
,
. Type - -
Ethernet over ATM.
ISP, Ethernet ATM
, ADSL .
6. OK, ADSL Interface properties.
40
IP , VLAN,
ADSL
, VLAN , ADSL
IPv4 . VLAN
IPv6 .
?
IPv4 , . IPv4
( 41).
IPv6 , . IPv6
( 44).
IP , .
IP ( 45).
IPv4
IPv4 , VLAN ,
ADSL
1. , Interfaces.
2. Physical Interface VLAN

NewIPv4 Address, ADSL Interface
New IPv4 Address. IP Address Properties.
3. IPv4 Address.
IP , VLAN, ADSL
41
4. Netmask, .
. Network Address Broadcast IP Address
.
?

NAT, .
IPv4 ( 42).
VRRP VLAN ,
.
VLAN ( 43).
IPv4 , OK.
, IPv4
VLAN
.
IPv6 VLAN ,
. IPv6 ( 44).
, .
( 48).
,
( 49).
IPv4
1. Contact Address Default Dynamic,
IP .
Location.
42
2. Locations IP ,
Exceptions Location.
?
VRRP VLAN ,
.
VLAN ( 43).
IPv6 VLAN
, . IPv6 ( 44).
, VLAN, ADSL
, (.
( 36), VLAN ( 37),
ADSL ( 38)),
IP ( 45).
,
( 48).
,
( 49).

VLAN
VRRP
1. VRRP Settings. VRRP Settings.
2. Enable VRRP.
IP , VLAN, ADSL
43
3. ID, Priority, IPv4 Address

.
4. OK.
?
, VLAN, ADSL
, (.
( 36), VLAN ( 37),
ADSL ( 38)), .
IP ( 45).
,
( 48).
,
( 49).
IPv6
IPv6
1. , Interfaces.
2. VLAN
NewIPv6 Address. Interface
Properties.
44
3. IPv6 Address.
4. Prefix Length (0-128).
5. OK.
, IPv6
.
?
,
( 48).
,
( 49).
IP
IPv4 , VLAN, ADSL
. IPv6 .
IPv4 DHCP,
(
) IP .
IP (. ( 48).
IP
Dynamic DHCP Index.
?
,
NAT,
IP .
IP PPPoE,
PPPoE ( 46).
IP , OK.
,
( 48).
,
( 49).
IP , VLAN, ADSL
45
IP
1. , Dynamic
.
Location.
2. Locations IP ,
Exceptions Location.
?
IP PPPoE,
PPPoE.
IP , OK.
,
( 48).
,
( 49)
PPPoE
1. PPPoE Settings. PPPoE Settings.
46
2. Enable PPPoE.
3. User Name, Password, () Service Name.

, -.
Hide, .
4. OK.
?
IP ,
OK.
,
( 48).
,
( 49).

3G .

1. , Interfaces.
47
2.
NewModem Interface. Modem Interface
Properties.
3. Modem Number, IMEI (

).
4. DHCP index. DHCP index ,
DHCP.
5. PIN, SIM ,
(Phone Number), .
6. (Access Point Name, Username, Password, Service
Name, .
7. OK.
.
. 3G
StoneGate.
?
. ( 49).

, , Interfaces.
, IP . IPv4
.
48
1. Options. Interface Options.
2. , (Primary)
Management Server.
2
3. ( , )
(Backup) Management Server, ,
.
4. Node-initiated contact to Management Server, IP
NAT.
49
5. , Identity for Authentication

Requests.
;
.

.
6. OK.
7. OK, Firewall Properties.
(. ).
8
8. No , .
?
, POL Management Server (
IP ),
( 50).

. . ( 71).
POL Management Server POS

. Management
Center, management-bound licenses
, ..
. POS
, .
management-bound
1. Configuration
50
2. Licenses Firewall.
.
3. , Dynamic
IP , Bind.
Select License Binding.
4. .
5. Select.
.
, Unbind.

( ),
.
. ,
. ,
Retained.
?

. . ( 71).
51
52

. Management Center
StoneGate.
.
Management Client,
,
Management Client.
:
( 54)
( 54)
( 56)
( 56)
VLAN ( 58)
IP ( 59)
( 67)
53

StoneGate Management Center (SMC),
. Management Client.
,
.
, , :
1. . .
( 54).
2. . .
( 56).
3. . .
( 56).
4. management-bound . .
( 67).
Management Center ,
,
.
:
(Control Interface) Management Server
/VPN.
(Heartbeat Interface)
.
,
.
IP - Cluster Virtual IP Address (CVI).

.
,
,
.
( 155).

Management Center,
Interface ID. Interface ID
. ,
USB flash , Interface ID
(eth0 Interface ID 0 ..).
54
Interface ID
.

.
Online Help Management Client
Administrators Guide.

(.
( 149)).

1. System Status.
System Status.
1
2.
Firewall Cluster. Firewall Cluster
Properties.
3. Name.
55
4. Log Server, .
5. , Location (. NAT
( 25)).

.
16 . ,
.

1. Add Node Firewall Cluster Properties.
Engine Node Properties.
2. ( ) Name.
3. OK.
. .

:
Normal
.
56
Aggregated Link in High-Availability Mode .

.
,
.
Aggregated Link in Load-Balancing Mode .

.

1. Interfaces.
2.
New Physical Interface. Properties
.
3. Interface ID.
.
4. Type Second Interface ID , Type
Aggregated Link.

IEEE 802.3ad. Aggregated Link in LoadBalancing Mode,
. ,
(LACP) LACP
.
Aggregated Link in High-Availability mode,
.
57
5. Packet Dispatch CVI Mode MAC Address

. MAC
- .
Packet Dispatch .
Firewall/VPN Reference Guide
.
CVI
.
IP ,
, MAC
. MAC .
MAC .
6. ( ) MTU, MTU,
Ethernet-default 1500.
7. OK.
,
.
?
- VLAN,
VLAN.
, IP
( 59)55).
VLAN
VLAN .
4094 VLAN .
VLAN
1.
NewVLAN Interface. VLAN
Interface Properties.
58
2. VLAN ID (1-4094).
3. OK.
VLAN ID . ,
VLAN .
VLAN ID VLAN ID,
VLAN .
VLAN .
VLAN Interface-ID.VLAN-ID, 2.100 Interface ID 2 VLAN ID
100.
IP
IP :
IP - Cluster Virtual IP Address (CVI)
, .
.
IP - Node Dedicated IP Address (NDI) ,
(, Management
). IP ,
Node Dedicated IP Address.
IPv4 .
CVI NDI
VLAN . ,
IP . ,
NDI,
.
VLAN Cluster Virtual IP Address
Node Dedicated IP Address. Cluster Virtual IP Address ,
, e
. Node Dedicated IP Address
, Cluster Virtual IP Address,
Node Dedicated IP Address.
?
IPv4.
IP
59
IPv4
IPv4
1. , Interfaces.
2. VLAN
NewIPv4 Address. IP
Address Properties.
3. ( ) Cluster VIrtual IP Address,

, ,
.
4. IPv4 Address, Cluster Virtual IP Address.
5. ( ) Node Dedicated IP Address,
IP , , VLAN
IP .
6. IPv4 Address IP .
.
60
7. Netmask , .
?
NAT,
.
( 62).
, OK. ,
IP
VLAN , .
( 64).
,
VPN . Cluster Virtual
IP Address
1. Dynamic,
IP .
Location.
2. Locations IP
, Exceptions Location.
IP
61
Node Dedicated IP Addresses

1. Contact Address ,
IP . Exceptions.
2. Default,
IP .
Location.
3. ( ) Add, ,
Location
.
4. , , OK.
, CVI / NDI.
?
, OK
( 64).
62

,
Interfaces. , IP .
IPv4.

1. Options. Interface Options.
2. , (Primary)
Management Server.
3. ( , )
(Backup) Management Server,
, .
IP
63
4. ,
(Primary) .

( ) ,
, , .

. , ,
.
,
, .
Online Help.
5. (, ) (Backup)
. ,
.

, .
6. , Identity for Authentication
Requests.
;
.

.
7. IP Default IP for Outgoing
Connections, ,
NDI.
8. OK.
Interfaces.
(
Info):
A ,
C c
H h
O IP
, . ,
, .
64
Cluster Virtual
IP Address, ARP- ,
ARP- ( 66). ,
OK, Firewall Cluster Properties.
Confirmation. No.
?
POL
Management Server,
( 67).

.
( 71).
ARP-
ARP-
. , ARP- . ,
Cluster Virtual IP Address,
ARP-,
IP/MAC .
ARP-
1. ARP Entries. ARP Entry Properties.
IP
65
2. Add ARP Entry. .
2
3. Type Static.
4. Interface ID , ARP.
5. IP Address MAC Address IP MAC .
6. , , OK.
, OK,
Firewall Cluster Properties.
Confirmation. No.
?
POL
Management Server,
.

. .
( 71).
POL Management Server POS

. Management
Center, management-bound
, ..
. POS
, .
,
.
66
management-bound
1. Configuration
2. LicensesFirewall.
.
3. , Dynamic
IP , Bind.
Select License Binding.
4. Select.
. ,
Unbind.
67
, management-bound
.

( ),
.
.
, .
, Retained.
?

.
( 71).
68

Management Center .
:
( 72)
( 72)

( 75)
71

, Management Client,
.
:
1. Management Client. .
( 72).
2.
. .
( 75).

, ,
Management Server.
" "
Management Server. :

.
USB flash ,

.
USB flash ,
USB flash .

StoneGate, .

1. Configuration Firewall.
Firewall Configuration.
1
72
2. Firewalls. .
3. ,
,
ConfigurationSave Initial Configuration. Initial
Configuration.
?
,
.
,
( 74).

1. ( ) ,
Management Server SSL Fingerprint .
2. One-Time Password
. ,
.
73
3. ,
Save As USB flash .
4. Close.

1. ( ) SSH ,
.
2. .
3. Save As USB flash ,
.
4. Close.
, SSH
Management Client. SSH
. ,
Management Server , .

(UTC),
.
(UTC),
Management Server, .
,
.
,
, "
" Management Server.
74

StoneGate.
.
?

StoneGate, Appliance Installation Guide.
,
, .

.
( 77), Online Help Management Client, Administrators
Guide PDF.
, .
.
Intel ( 99).
75
76
1 0
"
" Management Server,
a .
,
. Management Client.
:
( 78)
( 89)
( 96)
77

Management Client.

:
. IP
, .
,
.
,
, . ,
, IP ,
.

:
Network elements: IP .
Router elements: next-hop ,
(non-Multi-Link) ISP
NetLink.
NetLink elements: next-hop ,
Multi-Link. Multi-Link,

( -).
Aggregated Link in Load-Balancing
Mode, , LACP (Link
Aggregation Control Protocol) LACP .

Routing. , ,
,
.
78
10

1.
Routing. Routing
.
2. ,
. Tools Expand
All,
.
, . Any Network.
.

. Any Network, IP ,
. , IP ,
,
Any Network.
(Network) Routing
, .
, .
.
79
?
-
,
, . Multi-Link
( 82).
,
(Default Route) ( 80).
(Default Route)
NetLink

,
NewRouter.
IP DHCP PPP,
, Gateway (DHCP Assigned)
Routing. , ,

( 81). IP ,
Router Properties, (. )

1. Name.
2. IPv4 Address / IPv6 Address -.
3. OK.
80
10

Router,
New Any Network.
,
Any Network. Any Network
Routing
. Any Network,
Multi-Link (. Multi-Link
( 82)).

.

.
,
StoneGate. , StoneGate,
. ,
, ,
, .
81
Multi-Link
NetLink
,
, NewStatic
NetLink NewDynamic NetLink. NetLink Properties.
NetLink
1. Name.
NetLink,
NetLink ( 85).
2
2. ( NetLink) Select Gateway.

3
3. Network Element.
82
10
4. Routers
New Router.
5. Name.
6. IPv4 Address / IPv6 Address -
NetLink.
7. OK.
Router NetLink- .
8.
Select.

1. Select Network.
83
2. Networks. .
3. (Network), .
NetLink ( 85).
, ,
New Network. Network Properties.
4. Name.
5. IPv4 Address Netmask / IPv6 Address Prefix Length (0-128).
6. ( ) Broadcast and Network Addresses Included,
.
7. OK.
84
10
8. Select.
NetLink
1. ( ) -.
Probing Settings, Input Speed, Output Speed

Multi-Link, Online
Help. .
2. OK.
85
NetLink ,
NetLink, .
Multi-Link
NetLink NewAny Network.
,
Any Network.
,
-. , StoneGate,
. ,
, ,
.
, ,
Multi-Link. Multi-Link
Management Client Online Help.

, ,
Routing. ,
,
Routing . Router, next-hop
.
, non-ISP, .
, MultiLink, . ,
86
10
NetLink Router, ,
(. Multi-Link
( 82)).

1. ,
NewRouter. Router
Properties.
1
2. Name.
3. IPv4 Address / IPv6 Address -,
.
4. OK.

1. , ,
New Network.
.
2. Name.
87
3. IPv4 Address Netmask / IPv6 Address Prefix Length (0-128).
4. ( ) Broadcast and Network Addresses Included,

.
5. OK.
.
IP - IP
.
.
StoneGate,
. , IP
(source) ,
, Routing.
,
.
,
. Host Antispoofing
, .
Management Client Online Help.
?
IP
, IP
(IP Address Count Limited Licenses).

,
.
88
10
IP
(IP Address Count Limited Licenses)
IP ,
Internet IP . ,

.
IP
Internet Routing
Exclude from IP Counting.
IP .
Multi-Link
IP ,
. . www.stonesoft.com/
support.

, ,
. ,
(
).
StoneGate, .
IPv4 Access rule,
.

1. Configuration Firewall.
Firewall Configuration.
1
89
2. Firewall Policies
NewFirewall Policy.
3. Name.
4. . Default,
.
5. OK. .

,
RuleAdd Rule.
,
.
90
10
ping rule
1. Network Elements Host.
o Host Properties.
2. Name.
3. IPv4 Address / IPv6 Address Host.
4. OK.
5. Host Source.
91
6. Destination Set to ANY.

7. Service ,
.
8. ICMP Ping Service.
9. Action Allow.
, RuleAdd Rule
Before RuleAdd Rule After.
,
. ,
. ,
, ,
. ,
.
ping rule , ping, Test
, . , -
ping Test , .
?
IP ,
IPv4 NAT , IP ,
. NAT Rule Example Ping Rule
( 93).
NAT , .
( 94).
92
10
Multi-Link
NAT.
Online Help Administrators Guide.
NAT Rule Example Ping Rule

NAT
1. IPv4 NAT.
2. , NAT.
3. Hosts Host , ,
Source.
4. Destination Set to ANY.
5. ICMP Ping Service Service.
6. NAT Edit NAT.
Network Address Translation.
7. Static Translation Type.

8. Address IP Test .
IP Source NAT,
.

93
9. OK.
NAT . ,
IP Test .
. ,
, .
,
, .

1. File Save and Install,
.
2. .
3. Add.
4. Validate Policy Before Upload,
.
5. OK.
94
10
, ,
, ,
.
, ,
, .
Online Help
Administrators Guide PDF.

.
(.
).

1. System Status.
2. SMC Status.

Info .
3. Commands,
/ . Online
.
Status,
, , ,
.

95
96
10

:
Intel - 99
97
98
11

I NTEL
StoneGate
Intel
Intel, AMD.
:
( 100)
( 100)
( 101)
( 102)
Expert Mode ( 112)
99

StoneGate
. StoneGate,

Appliance Installation Guide.
, .
Management Center /VPN
.
, Automatic Power
Management (APM), Advanced Configuration and Power Interface (ACPI)
BIOS. ,
.
.
.

1. ,
Stonesoft. . ( 100).
2. . . ( 101).
3. Management Server. .
( 102).
?
.
( 101).
. .

Stonesoft.
1. Stonesoft Downloads: https://my.stonesoft.com/download.
2. .iso .

, StoneGate
, , .

.
100
11
Intel
MD5 SHA-1.
- Stonesoft,
.
Windows MD5 SHA-1 , ,
o.
-, MD5 SHA-1,
:
1. - : https://my.stonesoft.com/
download/.
2. , (), .
3. - md5sum
sha1sum filename, filename - .
filename
$ md5sum sg_engine_1.0.0.1000.iso
869aecd7dc39321aa2e0cfaf7fafdb8f sg_engine_1.0.0.1000.iso
4. .
.

-. , ,
Stonesoft
.

,
.
, CD,
.iso . .iso
, .
, ,
.

.
Management Center. .
( 71) .
,
. ,
. .
StoneGate .
101
StoneGate :
1. StoneGate
. .
2. YES ENTER,
.
3. : Full Install Full Install in expert mode.

1 Full Install.
2 Full Install in expert mode.
.
4. :
, 1 .
, 2 .
Full Install in expert mode,
. Expert Mode ( 112)
5. YES
,
. .
?
,
. .
USB flash .
,
, .
. .
( 103).

, , 3G (
).
Management Server.
USB flash

StoneGate.
USB flash .
, ,
, .
102
11
Intel
, ID
: Physical Interface ID
0 eth0, Physical Interface ID 1 eth1, .
(Modem Numbers) (Modem Interfaces)

IMEI, .
, ,
- ID.
,
. Management
Client.
. Online Help
Management Client Administrators Guide.
USB flash :
1. , ,
, Serial .
2. USB flash .
3. ,
. StoneGate ,
USB flash , ee
Management Server.
,
, ,
(sg_autoconfig.log) USB flash .
connection refused,
IP Management Server.
, Management
Server .
StoneGate.
, , ID
, ID 3G ,
.
sg-reconfigure.
103
USB flash (.
( 71)),
.
,
Import, .
, Next .
. ( 105).
:
1. Floppy Disk USB Memory .
2. . ,
.
3. Next , .
104
11
Intel

Configure OS Settings.
, .

1. Keyboard Layout
. Select Keyboard Layout.
2. .
, .
,
, US_English.

1. Local Timezone
. Select Timezone.
2. ,
.

105
,
.
(UTC).
Management Server.

1. .
2. root.
,
.
3. ( ) Enable SSH Daemon ,

SSH.
,
SSH,
.
4. Next . Configure Network
Interfaces.

, .
. ,
autodetect, .

Autodetect .
106
11
Intel
,
.
?
,
, .
( 107)
.
, .
ID ( 107).
Sniff .
Sniff , .
ID
1. ID, ID ,
.
2. ,
, Media
.
3. Mgmt ,
Management Server.
(management interface)
,
Management Center.
Management Center.
Next , . .
Management Server ( 109).

1. Add .
107
2. .
?
, ,
ID .
108
11
Intel
Management Server
Prepare for Management Contact.
USB flash ,
.
Management Server
, ,
.
(. 127),
.
Management Server,
.
, ,
Management Server .
?
IP DHCP,
Obtain Node IP address from a DHCP server .
Management Server ( 110).
IP PPPoE,
Use PPPoE . PPPoE.

, Use Modem .
. ( 110).
IP , Enter
node IP address manually IP address Netmask (!),
Gateway to management ( Management Server
).
109
PPPoE
1. Settings ENTER. PPPoE Settings.
2. ,
.
3. OK .

1. Settings Enter. Modem Settings.
2. ,
.
3. OK .
Management Server
, ,
Management
Server.
,
( 71).
1. Contact Contact at Reboot .
110
11
Intel
2. IP Management Server .

Management Server.
, Management Center
.
, ,
.
3. () Key fingerprint,
.
.
4. Finish .
Management Server.
.
connection refused, ,
IP Management Server .
, ,
.
Management Server
, ,
.
( 141),
.
-
, sg-reconfigure.
Management Server
, Management Server
, .
. Management Client
Unknown No Policy Installed, Connected,
, Management Server .
?
,
( 77).
111
Expert Mode
, (
( 100)).
Expert Mode ,
Expert Mode .
Linux,
.
cmd.exe, reboot,
halt, . init.
Management Client.

, StoneGate ,
11.1. , ,
.
.

1. , , y,
.
2. . .
3.
:
11.1
Engine root A
bootable
Engine root B
Primary
Primary
Logical
Swap
112
11
200 MB

StoneGate
Firewall engine.
Linux
200 MB

StoneGate Firewall
engine.

.
Linux swap
Swap
StoneGate Firewall
engine.
Linux
Intel
11.1 ()
Data
Spool
Logical
Logical
Linux
500 MB
Linux
4. , .
5. Write, . , yes.
6. Quit ENTER.

,
StoneGate.

1. , . yes, .
2. ,
, :
engine root A, 1.
engine root B, 2.
swap, 5.
data, 6.
spool, 7.
3. , . yes.
.
4. ,
, .
5. .
( 102).
Expert Mode
113
114
11
Intel

:
- 117
115
116
1 2
StoneGate.
,
.
:
( 118)
( 119)
( 120)
( 123)
( 126)
117

-
Management Server. Management Server
. ,
Management Client. .

.
, .
,
.
,
. .
(, ..)
.
, , .
,
.
.
32- 64-
.
, .
, 32- 64-
. StoneGate
.

, , ,
Management Center . Management Center
, .
Management
Center.
(Release Notes).
,
. ,
.
,
.
,
System Status.
Info, General. Info
, ViewInfo.
118
12
,
(Release Notes) , .
http://www.stonesoft.com/en/support/technical_support_and_documents.

:
1.
, (.
( 119)).

Online Help.
2. ,
,
CD, .iso .
1. ,
(. ( 120)).

Online Help.
2. . ,
, ,
(.
( 123) ( 126)).
Management Server ,
, ,
,
MD5 SHA-1. Windows MD5 SHA-1,
.
:
1. www.stonesoft.com/download/.
:
.zip
. ,
USB flash
.
.iso
.
2. , (), .
3. - md5sum
sha1sum filename, filename - .
filename
$ md5sum sg_engine_1.0.0.1000.iso
869aecd7dc39321aa2e0cfaf7fafdb8f sg_engine_1.0.0.1000.iso
119
4. .

-. ,
Stonesoft
.
ZIP
1. Management Client FileImportImport
Engine Upgrades.
2. , sg_engine_version_platform.zip,
Import. .
Management Client.
ZIP
USB flash CD-ROM-a.
ISO

, CD, .iso
. .iso ,
.
?
, .
. ( 123),
( 126), ,
.
, .
.

StoneGate , ,
StoneGate .
(,
1.2.3 1.2.4), . (,
1.2.3 1.3.0), ,
. ,
120
12
. Stonesoft.
Online
Help. .
?
,
One Proof Code ( 121).
,
,
Multiple Proof Codes ( 121).
One Proof Code

POL POS
.
multi-upgrade, (.
Multiple Proof Codes ( 121)).

1. Stonesoft License Center: www.stonesoft.com/license/.
2. (proof-of-license proof-of-serial number)
Submit.
.
3. Update. .
4. .
Multiple Proof
Codes
POL,
.

1. Configuration
121
.
3. , .
4. Export License Info.
5. ,
. .
6. ( ) Yes ,
multi-upgrade Stonesoft License Center -.
, Stonesoft License Center
www.stonesoft.com/license/ multi-upgrade.
.
.
License Center proof-oflicense proof-of-serial number.

,
Management Client.
StoneGate
1. FileSystem Tools Install Licenses.
2.
, .
122
12

,
. ,
.

1. Configuration
?
, Management Client,
. .
,
. ( 126).

.
,
, . (ask)
, Online Help.
,
.
.
. 32- 64-
.
123

1. System Status. System Status.
1
2. ( )
,
CommandsGo Offline.
124
12
3.
Upgrade Software.
4. , ,
.
5. .

, .
,
, .
6. (Engine Upgrade version) ,
.
7. OK.
, .
, .

. Abort, .

,
.
,
, , .
, .
, sg-toggle-active.
boot,
. . ( 133)
125
.
,
.
?
, /
, ,
.

,
Management Server. , .
,
serial . ,
,
.
,
.
.
. 32- 64-
.
?
.
ZIP ( 128).

, StoneGate
, .iso , Stonesoft
Stonesoft.

, .
,
, .

1. , (root),
(
Management Client).
2. .
126
12
3. reboot.
, ,.
.
4. 1, ENTER,
. ..
5. , ENTER,
.
, ,
. .
( 102).
6. , Management Client
CommandsGo Online.
sg-cluster online.
,
, , .
, .
, sg-toggle-active.
boot,
. . ( 133)
.
,
.
?
, ,
,
.
127
ZIP
,
.zip .

, .
.
, .

1. , (root),
(
Management Client).
2. USB flash CD .
3. sg-reconfigure. .
4. Upgrade ENTER.
5. , .
6. ( ) Calculate SHA1 -.
- .zip .

-. Cancel,
.
7. OK. .
8. ENTER.
.
,
, , .
, .
, sg-toggle-active.
boot,
. . ( 133)
128
12
.
,
.
?
, /
, ,
.
129
130
12

:
- 133
- 141
- 149
- 155
131
132
1 3

StoneGate.
Administrators Guide Online Help Management Client.
:
StoneGate ( 134)
( 139)
133
St o n e G a t e
StoneGate
(, SOHO
).
, .
Administrators Guide Online Help Management Client.
134
13
13.1 StoneGate
sg-blacklist
show [-v] [-f FILENAME] |
add [
[-i FILENAME] |
[src IP_ADDRESS/MASK]
[dst IP_ADDRESS/MASK]
[proto {tcp|udp|icmp|NUM}]
[srcport PORT{-PORT}]
[dstport PORT{-PORT}]
[duration NUM]
]|
del [
[-i FILENAME] |
[src IP_ADDRESS/MASK]
[dst IP_ADDRESS/MASK]
[proto {tcp|udp|icmp|NUM}]
[srcport PORT{-PORT}]
[dstport PORT{-PORT}]
[duration NUM]
]|
iddel NODE_ID ID |
,
(blacklist).

(Access Rules).
:
show
: engine node ID | blacklist entry ID | (internal) | entry creation time
| (internal) | address and port match | originally set duration | (internal) |
(internal). -f,
, (/data/blacklist/
db_<number>). -v
.
add . (. )
-i,
.
del .
(. ) -i,
.
iddel NODE_ID ID
. NODE_ID - , ID -
( show).
flush .
/ :
.
.
;
.
src IP_ADDRESS/MASK IP
. IP .
dst IP_ADDRESS/MASK IP
. IP .
proto {tcp|udp|icmp|NUM}
. IP
.
srcport PORT[-PORT] TCP/UDP
. .
dstport PORT[-PORT] TCP/UDP
.
.
:
sg-blacklist add src 192.168.0.2/32 proto tcp dstport 80
duration 60
sg-blacklist add -i myblacklist.txt
sg-blacklist del dst 192.168.1.0/24 proto 47
135
13.1 StoneGate ()
sg-bootconfig
[--primaryconsole=tty0|ttyS
PORT,SPEED]
[--secondary-console=
[tty0|ttyS PORT,SPEED]]
[--flavor=up|smp]
[--initrd=yes|no]
[--crashdump=yes|no|Y@X]
[--append=kernel options]
[--help]
apply

.
--primary-console=tty0|ttyS PORT,SPEED
.
--secondary-console= [tty0|ttyS PORT,SPEED]
.
--flavor=up|smp [-kdb]
.
--initrd=yes|no , Ramdisk
.
--crashdump=yes|no|Y@X
,
(Y). 24M. X
16M.
--append=kernel options
, .
--help .
apply .
sg-clear-all
,
StoneGate .
.
, .
sg-cluster
[status [-c SECONDS]]
[online]
[lock-online]
[offline]
[lock-offline]
[standby]
[safe-offline]
.
status [-c SECONDS] .
-c SECONDS,
.
online .
lock-online
,
.
offline .
lock-offline
, .
standby .
safe-offline ,
- .
sg-contact-mgmt

Management Server,
(. sg-reconfigure). Management Server
,
.
136
13
13.1 StoneGate ()
sg-ipsec -d
[-u <username[@domain]>
|-si
<session id>|
-ck <ike cookie>
|-tri
<transform id> |-ri
<remote ip> |-ci
<connection id>]
VPN (
vpninfo, ). -d ( delete)
.
-u VPN VPN.
,<username@domain>
(LDAP
).
-si VPN VPN
.
-ck IKE SA ( )
IKE cookie.
-tri IPSEC SA ( )
.
-ri SA IP VPN
"-".
-ci SA
VPN "-".
sg-logger
-f FACILITY_NUMBER
-t TYPE_NUMBER
[-e EVENT_NUMBER]
[-i "INFO_STRING"]
[-s]
[-h]

.
-f FACILITY_NUMBER
.
-t TYPE_NUMBER .
-e EVENT_NUMBER
. 0
(H2A_LOG_EVENT_UNDEFINED).
-i "INFO_STRING"
.
-s stdout
-h .
sg-raid
[-status] [-add] [-re-add]
[-force] [-help]
StoneGate.
StoneGate,
RAID (Redundant Array of Independent Disks )
.
-status .
-add .
-add -force,
,
.
-re-add , .

.
-re-add -force,
.
-help .
137
13.1 StoneGate ()
sg-reconfigure
[--boot]
[--maybe-contact]
[--no-shutdown]
.
--boot .
, .
--maybe-contact Management Server,
.
.
sg-selftest [-d] [-h]
.
-d .
-h .
sg-status [-l] [-h]
.
-l
.
-h .
--force [--debug]
.
.
, ,
.
, .
.
, /
var/run/stonegate (ls-l /var/run/stonegate.
SHA1 SIZE
, , .
, -
-
sg_engine_[version.build]_i386.zip file.
--debug .
--force
.
sg-upgrade
CD-ROM.
,
Management Client.
sg-version
138
13
13.1 StoneGate ()
sginfo
[-f] [-d] [-s] [-p] [--] [--help]
,
Stonesoft support, .
,
Stonesoft support .
-f sgInfo , .
-d sgInfo.
-s slapcat sgInfo.
-p sgInfo (
).
sgInfo .
--help .

Linux, StoneGate.
Ctrl+c.
13.2
dmesg
. -h,
.
halt
ip
ping
ICMP .
, .
ps
reboot
. ,
. ,
.
scp
. ,
.
sftp
FTP ( ).
, .
ssh
SSH ( ).
, .
tcpdump
. -h,
.
139
13.2 ()
top
140
traceroute
.
, .
vpninfo
VPN. ,
.
13
1 4
StoneGate
, StoneGate .
:
Management Center ( 142)
/VPN ( 144)
141
Management Center
,
Management Center (SMC) SMC .
14.1.
14.1 SMC
LDAP-
Stonesoft
Log
Server
TCP:
3020
8916
8917
TCP:
443
TCP:
389
RADIUS-
Management
Server
Web Portal
Server
UDP:
1812
Management Server
TCP:
8902-8913
8916
8917
TCP:
8903
8907
TCP:
8902-8913
+ 3021
TCP, UDP:
(
162/5162
514/5514
)
Win/Linux)
UDP:
161
, SMC
. .

. SMC
, .
14.1 Management Center
DNS-
53/UDP,
53 TCP
Management
Client,
Management
Server, Log Server
DNS.
DNS (UDP)
LDAP-
389/TCP
Management
Server
LDAP
/
Management Client.
LDAP (TCP)
142
14
14.1 Management Center ()
Log Server
162/UDP,
5162/UDP
SNMPv1
.
Windows
162, Linux 5162.
SNMP (UDP)
Log Server
514/TCP,
514/UDP,
5514/TCP,
5514/UDP
Syslog
.
514
Windows, 5514 Linux.
Syslog (UDP)
[Partial match]
Log Server
3020/TCP
Log Server,
Web Portal Server
SG Log
Log Server
8914-8918/
TCP
Management
Client
SG Data Browsing
Log Server
8916-8917/
TCP
Web Portal Server
SG Data Browsing
(Web Portal Server)
Management
Server
3021/TCP
Log Server, Web

Portal Server
/
.
SG Log Initial
Contact
Management
Server
8902-8913/
TCP
Management
Client, Log Server,
Web Portal Server
SG Control
161/UDP
Log Server
SNMP
IP .
SNMP (UDP)
Management
Server
8903, 8907/
TCP
Management
Server
(pull)
Management Server.
SG Control
RADIUS
(Authentication)
RADIUS
1812/UDP
Management
Server
RADIUS

.

RADIUS .
Management
Server
89028913/TCP
Management
Server
(push)
Management Server.
SG Control
Stonesoft
443/TCP
Management
Server
, ,
update.stonesoft.com
smc.stonesoft.com.
HTTPS
Management Center
143
14.1 Management Center ()
Syslog
514/UDP, ,
5514/UDP
Log Server

syslog.

LogServerConfiguration.txt.
Syslog (UDP)
[Partial match]
/VPN
,
/VPN SMC .
14.2,
/VPN 14.3
SOHO.
.15 /VPN
Log Server
TCP:
3020
Management Server
TCP:
3021
3023
8906*

TCP:
3002
3003
3010
TCP:
636
4950
4987
8888
none*
UDP: Multicast
3000 (
3001
*

node-initiated contact.
.16 SOHO
SOHO
NTP Time
Log Server
UDP:
123
Management
Server
TCP:
8922
8924
144
14
TCP:
8923
.17
/VPN
LDAP-
DNS-
TCP,
UDP:
RADIUS-
TCP:
389
636
UDP:
1812
1645
TCP:
49
RPC
TCP,
UDP:
UDP:
7777
DHCP-
UDP:
67
TACACS+
SNMP-
UDP:
68
UDP:
161
UDP:
162
UDP:
UDP:
500
500
2746
4500
4500
VPN
VPN
UDP:
500
2746
4500
, /VPN
StoneGate .
.
.
14.2 Firewall/VPN
80/TCP
HTTP
BrightCloud
2316/TCP

BrightCloud.
BrightCloud
update
DHCP
67/UDP
DHCP
,
IP .
BOOTPS (UDP)
DNS-
53/UDP,
53/TCP
DNS.
DNS (TCP)
/VPN
145
14.2 Firewall/VPN ()
67/UDP
DHCP
.
BOOTPS (UDP)
68/UDP
DHCP-
DHCP.
BOOTPC (UDP)
161/UDP
SNMP-
SNMP .
SNMP (UDP)
500/UDP
VPN ,
VPN
VPN , VPN .
ISAKMP (UDP)
636/TCP
Management
Server
LDAPS (TCP)
2543/TCP

(Telnet) .
SG User
Authentication
2746/UDP
StoneGate
VPN
UDP VPN
.
SG UDP
Encapsulation
3000-3001/
UDP
3002-3003,
3010/TCP
/VPN
SG State Sync
(Multicast), SG
State Sync
(Unicast), SG Data
Sync
4500/UDP
VPN ,
VPN
VPN ,
NAT-traversal.
NAT-T
4950/TCP
Management
Server
SG Remote
Upgrade
4987/TCP
Management
Server

Management Server.
SG Commands
8888/TCP
Management
Server
;
, ,
.
SG Monitoring
15000/TCP
Management
Server,
SG Blacklisting
LDAP-
389/TCP
LDAP ,
StartTLS.
LDAP (TCP)
3020/TCP

;
, ,
, .
SG Log
Log Server
146
14
14.2 Firewall/VPN ()
Management
Server
3021/TCP
/

( ).
SG Initial Contact
Management
Server
3023/TCP
().
SG Reverse
Monitoring
Management
Server
8906/TCP

,
node-initiated
contact.
SG Dynamic
Control
RADIUS
1812, 1645/
UDP
RADIUS.
RADIUS
(Authentication),
RADIUS (Old)
RPC-
111/UDP, 111/
TCP
RPC .
SUNRPC (UDP),
Sun RPC (TCP)
7777/UDP
SG Server Pool
Monitoring
SNMP
162/UDP
SNMP .
SNMP Trap (UDP)
TACACS+
49/TCP
TACACS+.
TACACS (TCP)
VPN
500/UDP, 2746/
UDP (
StoneGate),
4500 UDP.
VPN . 2746 4500

.
ISAKMP (UDP)
14.3 SOHO
SOHO
500/UDP
VPN
IKE (Internet Key

Exchange) IPsec.
ISAKMP (UDP)
Management
Server
8922/TCP
SOHO

Management Server.
SG SOHO Control
/VPN
147
14.3 SOHO ()
Management
Server
8924/TCP
SOHO
/

( ).
SG SOHO Initial
Contact
NTP-
123/UDP
SOHO
NTP (UDP)
RADIUS
1812/UDP
SOHO
RADIUS.
RADIUS
(Authentication)
148
14
1 5
, StoneGate ,
:
.
:
( 150)
( 151)
Management Center ( 152)
( 152)
149

. ,
. : 1
2.
.
15.1
(VLAN 17)
(VLAN 16)
172.16.1.0/24
172.17.1.0/24
(.21 .22)
(.21 .22)
CVI
.1
CVI
.1
CVI
.1
.1
.1
.1
.2
.2
.2
10.42.1.0/24
.21
ISP A
212.20.1.254/24
.21
.22
.22
.1
.1
.1
150
(DMZ)
Management
Log
Server
Server
.101
192.168.1.0/24 .102
15
.1
ISP
129.40.1.254/24

.
15.1
(DMZ)
ISP A

ISP

CVI: CVI .
NDI: 10.42.1.1 ( 1) 10.42.1.2 ( 2).

.
CVI: 192.168.10.1.
NDI: 192.168.10.21 ( 1) and 192.168.10.22 ( 2).
.
- ISP A.
CVI: 212.20.1.254.
NDI: 212.20.1.21 ( 1) and 212.20.1.22 ( 2).
Next hop : 212.20.1.1.
.
- ISP .
CVI: 129.40.1.254.
NDI: 129.40.1.21 ( 1) and 129.40.1.22 ( 2).
Next hop : 129.40.1.1.
VLAN (VLAN ID 16)
VLAN .
CVI: 172.16.1.1.
NDI: 172.16.1.21 ( 1) and 172.16.1.22 ( 2).
VLAN (VLAN ID 17)
VLAN .
CVI: 172.17.1.1.
NDI: 172.17.1.21 ( 1) and 172.17.1.22 ( 2).
151
Management Center
, DMZ.
15.2 Management Center
Management
Center
Management
Server
Management Server
StoneGate Log Server .
Management Server (DMZ) IP
192.168.1.101.
Log Server

Log Server .
(DMZ) IP
192.168.1.102.

,
.
15.2
.1
212.20.2.0/24
152
15
.254
172.16.2.1/24
15.3
IP : 212.20.2.254.
Next hop : 212.20.2.1.
.
IP : 172.16.2.1.
153
154
15
1 6
StoneGate
16.1:
ID , ID ( VLAN ID,
VLAN)
CVI, CVI Interface ID ( )
NDI, NDI ( ).
Interface ID, CVI/NDI.
, , Interface
ID.
IP , CVI NDI.
MAC/IGMP IP , MAC , CVI
Multicast IGMP, multicast IP ,
multicast MAC .
, ,
NDI , ,
IP .
.
Management Client.
155
16.1 StoneGate
ID
IP
CVI
U M I K A
_____
._____._____._____
_____
._____._____._____
NDI
H h C c D
_____
._____._____._____
_____
._____._____._____
CVI
U M I K A
_____
._____._____._____
_____
._____._____._____
NDI
H h C c D
_____
._____._____._____
_____
._____._____._____
CVI
U M I K A
_____
._____._____._____
_____
._____._____._____
NDI
H h C c D
_____
._____._____._____
_____
._____._____._____
CVI
U M I K A
_____
._____._____._____
_____
._____._____._____
NDI
H h C c D
_____
._____._____._____
_____
._____._____._____
_____
_____
_____
_____
MAC / IGMP IP
MAC: ___ : ___ : ___ : ___ : ___ :
___
IGMP IP: _____
._____._____.____
MAC: ___ : ___ : ___ : ___ : ___ :
___
MAC: ___ : ___ : ___ : ___ : ___ :
___
IGMP IP: _____
._____._____.____
MAC: ___ : ___ : ___ : ___ : ___ :
___
MAC: ___ : ___ : ___ : ___ : ___ :
___
IGMP IP: _____
._____._____.____
MAC: ___ : ___ : ___ : ___ : ___ :
___
MAC: ___ : ___ : ___ : ___ : ___ :
___
IGMP IP: _____
._____._____.____
MAC: ___ : ___ : ___ : ___ : ___ :
___
16.1 StoneGate
ID
IP
CVI
U M I K
A
_____
._____._____._____
_____
._____._____._____
NDI
H h C c D
_____
._____._____._____
_____
._____._____._____
CVI
U M I K A
_____
._____._____._____
_____
._____._____._____
NDI
H h C c D
_____
._____._____._____
_____
._____._____._____
_____
_____
MAC / IGMP IP
MAC: ___ : ___ : ___ : ___ : ___ :
___
IGMP IP: _____
._____._____.____
MAC: ___ : ___ : ___ : ___ : ___ :
___
MAC: ___ : ___ : ___ : ___ : ___ :
___
IGMP IP: _____
._____._____.____
MAC: ___ : ___ : ___ : ___ : ___ :
___
*) CVI: U=Unicast MAC, M=Multicast MAC, I=Multicast IGMP, K= , A=IP ,
NDI: H= , h= , C= IP , c= IP , D=IP
157
16.1 StoneGate
ID
IP
CVI
U M I K A
_____
._____._____._____
_____
._____._____._____
NDI
H h C c D
_____
._____._____._____
_____
._____._____._____
CVI
U M I K A
_____
._____._____._____
_____
._____._____._____
NDI
H h C c D
_____
._____._____._____
_____
._____._____._____
CVI
U M I K A
_____
._____._____._____
_____
._____._____._____
NDI
H h C c D
_____
._____._____._____
_____
._____._____._____
CVI
U M I K A
_____
._____._____._____
_____
._____._____._____
NDI
H h C c D
_____
._____._____._____
_____
._____._____._____
U M I K A
_____
._____._____._____
_____
._____._____._____
_____
_____
_____
_____
CVI
_____
MAC / IGMP IP
MAC: ___ : ___ : ___ : ___ : ___ :
___
IGMP IP: _____
._____._____.____
MAC: ___ : ___ : ___ : ___ : ___ :
___
MAC: ___ : ___ : ___ : ___ : ___ :
___
IGMP IP: _____
._____._____.____
MAC: ___ : ___ : ___ : ___ : ___ :
___
MAC: ___ : ___ : ___ : ___ : ___ :
___
IGMP IP: _____
._____._____.____
MAC: ___ : ___ : ___ : ___ : ___ :
___
MAC: ___ : ___ : ___ : ___ : ___ :
___
IGMP IP: _____
._____._____.____
MAC: ___ : ___ : ___ : ___ : ___ :
___
MAC: ___ : ___ : ___ : ___ : ___ :
___
IGMP IP: _____
._____._____.____
159
160
16

Язык

Stone Gate Firewall

Загружено:

Сведения о документе

Описание:

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Описание:

Авторское право:

Доступные форматы

Stone Gate Firewall

Загружено:

Описание:

Авторское право:

Доступные форматы

S TO NE G A T E F I R E W A L L 5 .

Online Help F1,

" " Location

3. Interface ID. ADSL

2. Physical Interface VLAN

3. ID, Priority, IPv4 Address

3. User Name, Password, () Service Name.

3. Modem Number, IMEI (

1. Options. Interface Options.

5. , Identity for Authentication

POL Management Server POS

Aggregated Link in High-Availability Mode .

5. Packet Dispatch CVI Mode MAC Address

3. ( ) Cluster VIrtual IP Address,

Node Dedicated IP Addresses

2. Add ARP Entry. .

POL Management Server POS

2. ( NetLink) Select Gateway.

Probing Settings, Input Speed, Output Speed

3. IPv4 Address Netmask / IPv6 Address Prefix Length (0-128).

4. ( ) Broadcast and Network Addresses Included,

6. Destination Set to ANY.

8. ICMP Ping Service.

NAT Rule Example Ping Rule

7. Static Translation Type.

3. : Full Install Full Install in expert mode.

3. ( ) Enable SSH Daemon ,

One Proof Code

sg-selftest [-d] [-h]

sg-status [-l] [-h]

14.1 Management Center ()

Web Portal Server

Log Server, Web

14.1 Management Center ()

SNMP Trap (UDP)

VPN . 2746 4500

IKE (Internet Key

*) CVI: U=Unicast MAC, M=Multicast MAC, I=Multicast IGMP, K= , A=IP ,

Похожие интересы

Вам также может понравиться