Stone Gate Firewall

STONEGATE FIREWALL 5.2

2 , , , Stonesoft:www.stonesoft.com/en/support/eula.html

StoneGate . - Stonesoft:

www.stonesoft.com/en/support/third_party_licenses.html

, , , . (), " ", (DOD Supplement to the Federal Acquisition Regulations -DFAR) 252.227-7013(c) (1). , , 52.227-19(c) (2) (Federal Acquisition Regulations - FAR). , , .

, , N:o 1334/2000 22 2000 ., ( ). , Stonesoft .

, , , , - Stonesoft:www.stonesoft.com/en/support/view_support_offering/terms/

- Stonesoft:www.stonesoft.com/en/support/view_support_offering/return_material_authorization/

. - Stonesoft:www.stonesoft.com/en/support/view_support_offering/terms/

, : 1065844, 1189410, 1231538, 1259028, 1271283, 1289183, 1289202, 1304849, 1313290, 1326393, 1379046, 1330095, 131711, 1317937 1443729 6,650,621; 6 856 621; 6,885,633; 6,912,200; 6,996,573; 7,099,284; 7,127,739; 7,130,266; 7,130,305; 7,146,421; 7,162,737; 7,234,166; 7,260,843; 7,280,540; 7,302,480; 7,386,525; 7,406,534; and 7,461,401 , . Stonesoft, Stonesoft StoneGate, Stonesoft Corporation. .

, " " Stonesoft , , , . IP- . 2011 Stonesoft Corporation. . .

Revision: SGFIG_20110222

1 StoneGate 7 . . . 8

2IP

3

4Serve

5 31 . . . . . . . . . . . . . . . . . . 323

. . . . . . . . . . . . . . . . 8 . . . . . . . . . . . . . . . 9 . . . . . . . . . . . . . 9 . . . . . . . . . 9 . . . . . . . . . . . . . . . 10 . . . . . . . . . . . . . . . . 10 . . . . . . . . . . . . . . . 10 . . . . . . . . . . . . . . . 10 . . . . . . . . . . . . . . . . . . . . . . . 10 . . . . . . . . . . . . . . . . . . . . . 10

13 StoneGate . . . 14 . . . . . . . . . . . . . . 15 . . . . . . . . . . . . . 15 . . . . . . . . . . . 16 . . . . . . . . . . 16 . . . . . . . . . . . . . 16 . . 16 . . . . . . . . . . . . . . . . . . 16 . . 17

. . 19 . . . . . . 20 . . . . . . . . . . . . . . . . . 20 . . . . . . . . . . 21 . . . . . . . . . . . . . . . . . . . 21

NAT . . . . . . . . . . . . . . . . 23 NAT . . . . . . . . . . 24 . . . . . . . . . . . . . . . . . 25 Locations. . . . . . . . . . . . . . . . . 25 SMC r . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

. 32 . . . . . . . . . . 32 . . 33 . . . . . 34 VLAN- . . . . . . . . . . . . . . . . . . 35 ADSL . . . . . . . . . 36 IP , VLAN , ADSL . . . . . . . . . . . . . . . . . . . . . . . . 38 IPv4 . . . 38 VLAN . . . . . . . . . . . . . . . . . . . . . . . . 40 IPv6 . . . 41 IP 41 . . . . . . . . 44 . 45 . . . . . . . . . . . . . . . . . . . 46

6 49 . . . . . . . . . . . . . . . . . . 50 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 . . . . . . . . . . 50 . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 . . . . . 52 VLAN- . . . . . . . . . . . . . . . . . . 54 IP . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 IPv4 . . . . . . . . . . . . 55 . . . . . . . . . . 57 . . . . . . . . . . . . . . . . . . . . . . . 59 ARP . . . . . . 61 . . . . . . . . . . . . . . . . . . . 62

4 7 . . . . 65 . . . . . . . . . . . . . . . . . . 66 . . . . . . . . . . . . . . . . . . . 66 . . . . . . . . . . . . . . . . . . . 69

8 SingMultLimiExaOnlin

9Serv

Expert Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102 . . . . . . . 102

10 . . . . . . . . . . . . . . . . . . . . . . . . . 107

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 . . . . . . . . . . . . . . 72 le Network Link . . . . . . . . . . . . . . . . . . . 73 i-Link. . . . . . . . . . . . . . . . . . . . . . . . . . . 75 . . . . . . . . 79. . . . . . . . . . . . . . . . . . . . . . . . 81 IP Address Count ted Licenses . . . . . . . . . . . . . . . . . . . . . 81 . . . . . . . . . . . . 82 NAT Rule mple Ping Rule . . . . . . . . . . . . . . . . . . . 85 . . . . . . . . . . . . . . . . . . 86 e . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88

Intel . . . . . . . . 91 . . . . . . . . . . . 92 . . . . . . . . . . . . . . . . . 92 . . . . . . . . . . . . . . 92 . . . . . . . . . . . . . . . 92 . . . . . . . . . . 92 . . . . . . . . . . 93 . . . . . . . . . . . . . . . . . . . . . 93 . . . . . . . . . . . . . . . . . 94 USB flash . . . . . . . . . . . . . . 94 . . . . . . . . . . . . . . . . . . . 95 . . . . . . . . . . . . . . . . . . . . . . . . . . . 96 . . . . . . . . 97 Management er . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99 Management Server. . . . . . . . 101

. . . . . . . . . 108 . . . . . . . . . . . . . . . . . 109 . . . . . . . . . . 109 . . . . 110 One Proof Code . . . . . . . . . . . . . . . . . 110 Multiple Proof Codes . . . . . . . . . . . . . 111 . . . . . . . . . . . . . . . . . . 112 . . . . . . . . . . . . . . . . . . 112 . . . . . . . . 113 . . . . . . . . 115 . . . . . . 115 ZIP . . . . . . . . . . . . . 116

A . . . . . . . . . . . . . 121 . . . . . . . 127 Management Center . . . . . . . . . . . . . . 128 /VPN . . . . . . . . . 130

. . . . . . . . . . . . . 135 . . . . . . . . . . . . . . . . . . . 136 . . . . 137 Management Center . . . . . . . . . . . . . 138 . . . 138

. . . . . . . . . . . . . . . . . . 141 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145

5 :

StoneGate - 7

3

7STONEGATE

, StoneGate . .

: ( 8) ( 8) ( 10)

8 , StoneGate VPN (StoneGate Firewall/VPN). . , .

3 StoneGate

:

:

, , .

StoneGate : . StoneGate .

3.1

.

(, , ) .

, .

, .

.

.

, .

, .

Online Help F1, HelpHelp Topics, Help . , , , , . 3.1 Online Help9

a a . P PDF Management Center http://www.stonesoft.com/support/.

Table 3.2

(Reference Guide)

StoneGate. . StoneGate Management Center, Firewall/VPN, StoneGate IPS.

(Installation Guide)

, StoneGate. StoneGate Management Center, Firewall/VPN, StoneGate IPS SOHO .

(Online help) . "Help" "Help", F1 . StoneGate Management Client, StoneGate Web Portal StoneGate SSL VPN Administrator.

(AdministratorsGuide)'

. StoneGate Firewall/VPN StoneGate IPS, a StoneGate SSL VPN StoneGate IPsec VPN Client.

(UsersGuide)'

. StoneGate IPsec VPN client StoneGate Web Portal.

, .

10

(Appliance Installation Guide)

StoneGate ( , ..). StoneGate .

Table 3.2 3 StoneGate

StoneGate . StoneGate, . StoneGate Stonesoft: http://www.stonesoft.com/support/.

StoneGate : www.stonesoft.com/en/products_and_solutions/products/. StoneGate, (Release Notes), .

, StoneGate Stonesoft, : http://www.stonesoft.com/.

License Center Stonesoft: https://my.stonesoft.com/managelicense.do.

, [email protected].

Stonesoft StoneGate. Support Stonesoft http://www.stonesoft.com/support/.

, . . [email protected].

[email protected].

[email protected]

12 3 StoneGate

: - 15

- 21 NAT - 2513

4

15

, , .

: StoneGate ( 16) ( 17) ( 17) ( 17)

16

StoneGate StoneGate firewall StoneGate Management Center StoneGate. StoneGate , . 16 , . StoneGate 4

Management Center (SMC).

StoneGate : : Multi-Layer . . , (UTM-unified threat management).

: . .

Multi-Link: Multi-Link , . Multi-Link , VPN .

QoS : .

: StoneGate , , .

: StoneGate , VPN Multi-Link. StoneGate ISP VPN-.

StoneGate Management Center StoneGate IPS: StoneGate Firewall/VPN StoneGate IPS Management Center .

SMC, . SMC StoneGate. SMC . SMC Reference Guide SMC, IPS Reference Guide StoneGate.

. , , StoneGate Management Center 5.0 . , StoneGate Administrators Guide.

, StoneGate , , StoneGate. .. ( 149).17

Management Center, , .

1. ( , . ) . . ( 21).

2. NAT , (Contact Addresses). . NAT ( 25).

3. Management Client. . ( 33), ( 53).

4. . . ( 71).

5. . StoneGate, . Appliance Installation Guide, .

, . Intel ( 99).6. . .

( 77).

Firewall/VPN Reference Guide, StoneGate.

:

, StoneGate Management Center 5.0 . , 5.0, ( 21).

18

StoneGate. Intel- . Hardware

Requirements : http://www.stonesoft.com/en/support/.

VMware. , (Release Notes). . /VPN StoneGate VMWare ESX StoneGate Technical Documentation. 4

, Linux. .

, , , , Management Center Management Client. , Management Server . , UTC Management Server. StoneGate UTC.

IP IP , , : IP - Cluster Virtual IP Address (CVI): IP , . IP , IP .

IP - Node Dedicated IP Address (NDI): IP , . IP , Management Server, ..

CVI / NDI .

, fail-over , . . . , , .

, , , . . , - . , , PortFast , / / StoneGate . 19

Multicast (. Online Help Administrators Guide ). .

. Packet Dispatch , . . Firewall/VPN Reference Guide . Packet Dispatch, , MAC . MAC , . CVI (Cluster Virtual IP Address), CVI (Cluster Virtual IP Addresses). Cluster Virtual IP Address , . , StoneGate ARP . , MAC . , , MAC . , Cluster Virtual IP Address .

5

21

.

: ( 22) ( 23) ( 23)

22

. 5.0 , . Generate and Install New Licenses Automatically SMC, Management Server Stonesoft License Center . 5

Management Server Stonesoft License Center , 5.0 30 . , Stonesoft License Center Management Server Management Client, . management-bound, POL (proof-of-license) . POS (proof-of-serial-number) . POS, . Management Server .

, .1. Stonesoft License Center. .

( 23).2. Management Client. . ( 23).

? ,

. NAT ,

. NAT ( 25) NAT ,

. :

( 33). ( 53).

Stonesoft License Center POL (proof-of-license - ) POS (proof of serial - , ). - . , 23

.

1. Stonesoft License Center www.stonesoft.com/license/.2. proof-of-license proof-of-serial number

Submit. .3. Register. .4. POL Management Server , .

, . , Management Client .

5. Submit Request. . .

, Management Client. , , . StoneGate

1. Management Client FileSystem Tools Install Licenses.

2. , .

. . .

24

1. Configuration

Administration. Administration Configuration.1 5

2. Licenses.

3. All Licenses. . management-bound, . POS , .

? NAT

, . NAT ( 25).

NAT , . , :

( 33). ( 53).

3

6

NAT 25 Locations , NAT .

: NAT ( 26) Locations ( 27) SMC Server ( 29)

26

NAT NAT , IP , . StoneGate ( 141). StoneGate Location NAT. Default Location , 6 NAT

Location. NAT , Location, , . Properties . , , Location , Location. 6.1 Locations

, , Management Log Server . NAT, , : IP SMC . , , .

IP . IP , VPN .

NAT ( ) IP . , , Management Server .

Log/Management Server

" " Location "" Location

Management Server , Management Server .

, Location, . SMC Location. , VPN , Location 27 Locations

.

, :1. Location. . Locations ( 27).2. Management Server Log Server. .

SMC Server ( 29).3. Location ()

, . . ( 33) ( 53).

Locations Location, NAT. , Location, IP . IP Properties . Location

1. Configuration Administration. Administration Configuration.

1

28

2. Other Elements . 6 NAT

3. Locations New Location. Location Properties.

4. Name.5. ().6. Add.7. 5-6, .8. OK.

5

, Locations.

? Management Server Log Server ,

. SMC Server ( 29).

, : ( 33)29 SMC Server

SMC ServerManagement Server Log Server Location. , , Multi-Link . Management Server Log Server

1. Properties. Properties .

2. Location .3. Contact addressesDefault.

IP , .

( 53).

30

4. Exceptions Location, (Default Contact Addresses) Locations .

4 6 NAT

.

, Location, IP . , Location, , Location.

? , .

( 33). , .

( 53).

31

: - 33

- 53 - 71

- 77

7

33

. Management Center StoneGate.

. Management Client. , Management Client.

: ( 34) ( 34) ( 36) VLAN ( 37) ADSL ( 38) IP , VLAN, ADSL

( 41) ( 48) ( 50)

34

StoneGate Management Center (SMC), . , ., , : 7

1. . . ( 34).

2. (Physical interfaces) . . ( 36).

3. ( ) ADSL . . ADSL ( 38).

4. ( ) . . ( 48).

5. management-bound . . ( 50).

Management Center , , . : (Control interface), Management Server /VPN. , , , .

: . Management Center, Interface ID. .

ADSL ADSL . StoneGate ADSL ADSL . ADSL StoneGate Interface ID ADSL Management Center.

3G, USB . Management Center. IMEI , ID, .

USB flash . USB flash ,

Interface ID Management Center (eth0 Interface ID 0 ..). , Modem Interface 0 .

, Interface IDs 35

. Interface ID .

, . , Online Help Management Client StoneGate Administrators Guide . (. ( 149)).

1. System Status. System Status

2. Firewalls NewSingle Firewall. Single Firewall Properties.

3. Name.

Interface ID ADSL .

1

2

36

4. Log Server, . 7

5. , Location (. NAT ( 25)).

, . : Normal . Aggregated Link in High-Availability Mode . . , .

Aggregated Link in Load-Balancing Mode . .

1. Interfaces.

2

2. NewPhysical Interface. Physical Interface Properties.37 VLAN

3. Interface ID. .

4. Type Second Interface ID, Type Aggregated Link. IEEE 802.3ad. Aggregated Link in Load-Balancing Mode, . , (LACP) LACP .

Aggregated Link in High-Availability mode, , .

5. OK. . .

VLANVLAN . 4094 VLAN- .

? VLAN, .

VLAN ( 37). ADSL Interface, . ADSL

( 38). , . IP , VLAN,

ADSL ( 41).

38

VLAN 1.

NewVLAN Interface. VLAN Interface Properties. 7

2. VLAN ID (1-4094).

3. OK. VLAN ID . , VLAN- .

, VLAN . VLAN Interface-ID.VLAN-ID, 2.100 Interface ID 2 VLAN ID 100.

ADSL ADSL . ADSL StoneGate, ADSL. ADSL ANSI T1.413 i2, G. Lite, Annex A.

VLAN ID VLAN ID VLAN .

? ADSL Interface, . ADSL

( 38). , IP ,

VLAN, ADSL ( 41).

ADSL 1. , Interfaces.39 ADSL

2. NewADSL Interface. ADSL Interface Properties.

3. Interface ID. ADSL .

4. Select , - (Service Provider). Select Element.

40

5. - Select. -, Ethernet ATM ( ). - , ISP New (. ). 7

Name Country . , . Type - - Ethernet over ATM.

6. OK, ADSL Interface properties.

ISP, Ethernet ATM , ADSL .

IP , VLAN, ADSL

, VLAN , ADSL IPv4 . VLAN IPv6 .

?41 IP , VLAN, ADSL

IPv4 IPv4 , VLAN ,

ADSL 1. , Interfaces.

2. Physical Interface VLAN NewIPv4 Address, ADSL Interface New IPv4 Address. IP Address Properties.

3. IPv4 Address.

IPv4 , . IPv4 ( 41).

IPv6 , . IPv6 ( 44).

IP , . IP ( 45).

4

42

4. Netmask, . . Network Address Broadcast IP Address .

?

NAT, . IPv4 ( 42). 7

IPv4 1. Contact Address Default Dynamic,

IP . Location.

VRRP VLAN , . VLAN ( 43).

IPv4 , OK. , IPv4 VLAN .

IPv6 VLAN , . IPv6 ( 44).

, . ( 48).

, ( 49).

2. Locations IP , Exceptions Location.

? VRRP VLAN ,

. VLAN ( 43).

IPv6 VLAN 43 IP , VLAN, ADSL

VLAN VRRP

1. VRRP Settings. VRRP Settings.

2. Enable VRRP.

, . IPv6 ( 44). , VLAN, ADSL

, (. ( 36), VLAN ( 37), ADSL ( 38)), IP ( 45).

, ( 48).

, ( 49).

1

44

3. ID, Priority, IPv4 Address .

2 7

4. OK.

IPv6 IPv6

1. , Interfaces.

2. VLAN NewIPv6 Address. Interface Properties.

? , VLAN, ADSL

, (. ( 36), VLAN ( 37), ADSL ( 38)), . IP ( 45).

, ( 48).

, ( 49).

2

3. IPv6 Address.4. Prefix Length (0-128).5. OK. , IPv6 .

?45 IP , VLAN, ADSL

IP IPv4 , VLAN, ADSL . IPv6 . IPv4 DHCP, ( ) IP . IP (. ( 48). IP Dynamic DHCP Index.

, ( 48).

, ( 49).

? ,

NAT, IP .

IP PPPoE, PPPoE ( 46).

IP , OK. ,

( 48). ,

( 49).

46

IP 1. , Dynamic

. Location. 7


PPPoE1. PPPoE Settings. PPPoE Settings.

? IP PPPoE,

PPPoE. IP , OK. ,

( 48). ,

( 49)

1

2. Enable PPPoE.

247

3. User Name, Password, () Service Name. , -. Hide, .

4. OK.

3G .

1. , Interfaces.

? IP ,

OK. ,

( 48). ,

( 49).

2

48

2. NewModem Interface. Modem Interface Properties. 7

3. Modem Number, IMEI ( ).

4. DHCP index. DHCP index , DHCP.

5. PIN, SIM , (Phone Number), .

6. (Access Point Name, Username, Password, Service Name, .

7. OK. . . 3G StoneGate.

, , Interfaces. , IP . IPv4 .

? . ( 49).

1. Options. Interface Options.49

2. , (Primary) Management Server.

3. ( , ) (Backup) Management Server, , .

4. Node-initiated contact to Management Server, IP NAT.

1

2

50

5. , Identity for Authentication Requests. ; .

.

6. OK.7. OK, Firewall Properties. 7

(. ).

8. No , .

POL Management Server POS . Management Center, management-bound licenses , .. . POS , . management-bound


? , POL Management Server (

IP ), ( 50).

. . ( 71).

8

2. Licenses Firewall. .51

3. , Dynamic IP , Bind. Select License Binding.

4. .5. Select. . , Unbind. ( ), . . , . , Retained.

?

. . ( 71).

8

53

. Management Center StoneGate. . Management Client, , Management Client.

: ( 54) ( 54) ( 56) ( 56) VLAN ( 58) IP ( 59) ( 67)

54

StoneGate Management Center (SMC), . Management Client. , ., , : 8

1. . . ( 54).

2. . . ( 56).

3. . . ( 56).

4. management-bound . . ( 67).

Management Center , , . : (Control Interface) Management Server /VPN.

(Heartbeat Interface) . , .

IP - Cluster Virtual IP Address (CVI). . , , . ( 155).

Management Center, Interface ID. Interface ID . , USB flash , Interface ID (eth0 Interface ID 0 ..).

Interface ID .

. Online Help Management Client Administrators Guide.55

(. ( 149)).

1. System Status. System Status.

2. Firewall Cluster. Firewall Cluster Properties.

3. Name.

1

2

56

4. Log Server, . 8

5. , Location (. NAT ( 25)).

. 16 . , .

1. Add Node Firewall Cluster Properties. Engine Node Properties.

2. ( ) Name.

3. OK. . .

: Normal .

2

Aggregated Link in High-Availability Mode . . , .

Aggregated Link in Load-Balancing Mode . .

57

1. Interfaces.

2. New Physical Interface. Properties .

3. Interface ID. .

4. Type Second Interface ID , Type Aggregated Link. IEEE 802.3ad. Aggregated Link in Load-Balancing Mode, . , (LACP) LACP .

Aggregated Link in High-Availability mode, .

2

58

5. Packet Dispatch CVI Mode MAC Address . MAC - . Packet Dispatch . Firewall/VPN Reference Guide .

CVI . 8

6. ( ) MTU, MTU, Ethernet-default 1500.

7. OK. , .

VLANVLAN . 4094 VLAN . VLAN

1. NewVLAN Interface. VLAN Interface Properties.

IP , , MAC . MAC . MAC .

? - VLAN,

VLAN. , IP

( 59)55).

1

2. VLAN ID (1-4094).59 IP

3. OK. VLAN ID . , VLAN .

VLAN . VLAN Interface-ID.VLAN-ID, 2.100 Interface ID 2 VLAN ID 100.

IP IP : IP - Cluster Virtual IP Address (CVI) , . .

IP - Node Dedicated IP Address (NDI) , (, Management ). IP , Node Dedicated IP Address.

IPv4 . CVI NDI VLAN . , IP . , NDI, . VLAN Cluster Virtual IP Address Node Dedicated IP Address. Cluster Virtual IP Address , , e . Node Dedicated IP Address , Cluster Virtual IP Address, Node Dedicated IP Address.

VLAN ID VLAN ID, VLAN .

? IPv4.

60

IPv4 IPv4

1. , Interfaces.

2 8

2. VLAN NewIPv4 Address. IP Address Properties.

3. ( ) Cluster VIrtual IP Address, , , .

4. IPv4 Address, Cluster Virtual IP Address.5. ( ) Node Dedicated IP Address,

IP , , VLAN IP .

6. IPv4 Address IP . .

6

7

7. Netmask , .

? NAT,

. ( 62).

, OK. , IP 61 IP

, VPN . Cluster Virtual IP Address

1. Dynamic, IP . Location.


VLAN , . ( 64).

62

Node Dedicated IP Addresses1. Contact Address ,

IP . Exceptions. 8

2. Default, IP . Location.

3. ( ) Add, , Location .

4. , , OK. , CVI / NDI.

? , OK

( 64).

1

, Interfaces. , IP . IPv4.

1. Options. Interface Options.63 IP

2. , (Primary) Management Server.

3. ( , ) (Backup) Management Server, , .

1

4

2

64

4. , (Primary) .

( ) , , , . . , , 8

5. (, ) (Backup) . , .

6. , Identity for Authentication Requests. ; .

.

7. IP Default IP for Outgoing Connections, , NDI.

8. OK. Interfaces. ( Info):

A ,

C c H h O IP

, . , , .

. , , . Online Help.

, .

Cluster Virtual IP Address, ARP- , ARP- ( 66). , OK, Firewall Cluster Properties. Confirmation. No.65 IP

ARP- ARP- . , ARP- . , Cluster Virtual IP Address, ARP-, IP/MAC . ARP-

1. ARP Entries. ARP Entry Properties.

? POL

Management Server, ( 67).

. ( 71).

1

66

2. Add ARP Entry. . 8

3. Type Static.4. Interface ID , ARP-

.5. IP Address MAC Address IP MAC .6. , , OK. , OK, Firewall Cluster Properties. Confirmation. No.

POL Management Server POS . Management Center, management-bound , .. . POS , . , .

? POL

Management Server, .

. . ( 71).

2

management-bound 1. Configuration

Administration. Administration Configuration.167

2. LicensesFirewall. .

3. , Dynamic IP , Bind. Select License Binding.

4. Select. . , Unbind.

3

68

, management-bound . ( ), . . , . 8

, Retained.

?

. ( 71).

9

71

Management Center .

: ( 72) ( 72)

( 75)

72

, Management Client, . :1. Management Client. .

( 72). 9

2. . . ( 75).

, , Management Server. " " Management Server. : .

USB flash , .

USB flash , USB flash .

1. Configuration Firewall.

Firewall Configuration.

StoneGate, .

1

2. Firewalls. .73

3. , , ConfigurationSave Initial Configuration. Initial Configuration.

1. ( ) ,

Management Server SSL Fingerprint .2. One-Time Password

. , .

? ,

. ,

( 74).

2

3

74

3. , Save As USB flash .

4. Close.

1. ( ) SSH , .

2. . 9

3. Save As USB flash , .

4. Close. , SSH Management Client. SSH . , Management Server , . (UTC), . (UTC), Management Server, . , . , , " " Management Server.

2

3

StoneGate. .

? 75

StoneGate, Appliance Installation Guide. , , . . ( 77), Online Help Management Client, Administrators Guide PDF.

, . . Intel ( 99).

10

77

" " Management Server, a . , . Management Client.

: ( 78) ( 89) ( 96)

78

Management Client. : . IP , . , 10

. , , . , , IP , .

: Network elements: IP . Router elements: next-hop , (non-Multi-Link) ISP NetLink.

NetLink elements: next-hop , Multi-Link. Multi-Link, ( -).

Routing. , , , .

Aggregated Link in Load-Balancing Mode, , LACP (Link Aggregation Control Protocol) LACP .

1.

Routing. Routing .79

2. , . Tools Expand All, .

, . Any Network. . . Any Network, IP , . , IP , , Any Network. (Network) Routing , . , . .

1

80

? -

, , . Multi-Link ( 82).

, (Default Route) ( 80). 10

(Default Route) NetLink ,

NewRouter.

IP DHCP PPP, , Gateway (DHCP Assigned) Routing. , , ( 81). IP , Router Properties, (. )

1. Name.2. IPv4 Address / IPv6 Address -.

3. OK.

Router,

New Any Network.81

, Any Network. Any Network Routing . Any Network, Multi-Link (. Multi-Link ( 82)).

, StoneGate. , StoneGate, . , , , , .

. .

82

Multi-Link NetLink ,

, NewStatic NetLink NewDynamic NetLink. NetLink Properties. 10

NetLink1. Name.

NetLink, NetLink ( 85).

2. ( NetLink) Select Gateway.

3. Network Element.

2

3

4. Routers 83

New Router.

5. Name.6. IPv4 Address / IPv6 Address -

NetLink.7. OK. Router NetLink- .

8. Select.

1. Select Network.

1

84

2. Networks. . 10

3. (Network), . NetLink ( 85). , ,

New Network. Network Properties.

4. Name.5. IPv4 Address Netmask / IPv6 Address Prefix Length (0-128).6. ( ) Broadcast and Network Addresses Included,

.7. OK.

85

8. Select. NetLink

1. ( ) -.

Probing Settings, Input Speed, Output Speed Multi-Link, Online Help. .

2. OK.

1

86

NetLink , NetLink, . Multi-Link NetLink NewAny Network. 10

, Any Network.

, -. , StoneGate, . , , , .

, , Routing. , , Routing . Router, next-hop ., non-ISP, . , Multi-Link, . ,

, , Multi-Link. Multi-Link Management Client Online Help.

.

NetLink Router, , (. Multi-Link ( 82)).

1. , NewRouter. Router Properties.87

2. Name.3. IPv4 Address / IPv6 Address -,

.

4. OK.

1. , , New Network.

.2. Name.

1

1

88

3. IPv4 Address Netmask / IPv6 Address Prefix Length (0-128). 10

4. ( ) Broadcast and Network Addresses Included, .

5. OK. .

IP - IP . . StoneGate, . , IP (source) , , Routing. , . , . Host Antispoofing , . Management Client Online Help.

? IP

, IP (IP Address Count Limited Licenses).

, .

4

IP (IP Address Count Limited Licenses) IP , Internet IP . , . IP 89

Internet Routing Exclude from IP Counting.

IP .

, , . , ( ). StoneGate, . IPv4 Access rule, .

1. Configuration Firewall. Firewall Configuration.

Multi-Link IP , . . www.stonesoft.com/support.

1

90

2. Firewall Policies NewFirewall Policy. 10

3. Name.4. . Default,

.

5. OK. . ,

RuleAdd Rule.

, .

ping rule1. Network Elements Host.

o Host Properties.91

2. Name.3. IPv4 Address / IPv6 Address Host.

4. OK.

5. Host Source.

92

6. Destination Set to ANY.7. Service ,

. 10

8. ICMP Ping Service.

9. Action Allow. , RuleAdd Rule Before RuleAdd Rule After. , . , . , , , . , . ping rule , ping, Test , . , - ping Test , .

? IP ,

IPv4 NAT , IP , . NAT Rule Example Ping Rule ( 93).

NAT , . ( 94).

NAT Rule Example Ping Rule NAT

1. IPv4 NAT.

Multi-Link NAT. Online Help Administrators Guide.93

2. , NAT.

3. Hosts Host , , Source.

4. Destination Set to ANY.5. ICMP Ping Service Service.6. NAT Edit NAT.

Network Address Translation.

7. Static Translation Type.8. Address IP Test .

IP Source NAT, .

2

94

9. OK. NAT . , IP Test . . , , . , , . 10

1. File Save and Install, .

2. .3. Add.4. Validate Policy Before Upload,

.

5. OK.

, , , , . , , , . Online Help Administrators Guide PDF.95

. (. ).

1. System Status.

2. SMC Status. Info .

3. Commands, / . Online . Status, , , , .

2

3

: Intel - 9997

11

99 INTEL

StoneGate Intel Intel, AMD.

: ( 100) ( 100) ( 101) ( 102) Expert Mode ( 112)

100

StoneGate . StoneGate, Appliance Installation Guide.

, . Management Center /VPN 11 Intel

.

1. ,

Stonesoft. . ( 100).2. . . ( 101).3. Management Server. .

( 102).

Stonesoft.

1. Stonesoft Downloads: https://my.stonesoft.com/download.2. .iso .

, StoneGate , , . .

, Automatic Power Management (APM), Advanced Configuration and Power Interface (ACPI) BIOS. , .

. .

? .

( 101). . .

MD5 SHA-1. - Stonesoft, . Windows MD5 SHA-1 , , o. -, MD5 SHA-1,

:

101

1. - : https://my.stonesoft.com/download/.

2. , (), .3. - md5sum filename

sha1sum filename, filename - . $ md5sum sg_engine_1.0.0.1000.iso

869aecd7dc39321aa2e0cfaf7fafdb8f sg_engine_1.0.0.1000.iso

4. . .

, . , CD, .iso . .iso , .

, , . . Management Center. . ( 71) . , . , . .

-. , , Stonesoft .

StoneGate .

102

StoneGate :1. StoneGate

. .2. YES ENTER,

. 11 Intel

3. : Full Install Full Install in expert mode. 1 Full Install. 2 Full Install in expert mode. .

4. : , 1 . , 2 . Full Install in expert mode, . Expert Mode ( 112)

5. YES , . .

, , 3G ( ). Management Server.

USB flash StoneGate. USB flash . , , , .

? ,

. . USB flash .

, , . . . ( 103).

, ID : Physical Interface ID 0 eth0, Physical Interface ID 1 eth1, . (Modem Numbers) (Modem Interfaces) IMEI, . , , - ID.103

USB flash :1. , ,

, Serial . 2. USB flash .3. ,

. StoneGate , USB flash , ee Management Server. , , , (sg_autoconfig.log) USB flash .

connection refused, IP Management Server.

, Management Server .

StoneGate. , , ID , ID 3G , . sg-reconfigure.

, . Management Client. . Online Help Management Client Administrators Guide.

104

USB flash (. ( 71)), . 11 Intel

, Import, .

, Next . . ( 105).

:1. Floppy Disk USB Memory .

2. . , .

3. Next , .

Configure OS Settings. , .

1. Keyboard Layout . Select Keyboard Layout.105

2. . , .

, , US_English.

1. Local Timezone . Select Timezone.

2. , .

1

1

106

, . (UTC). Management Server.

1. .2. root. 11 Intel

, .

3. ( ) Enable SSH Daemon , SSH.

4. Next . Configure Network Interfaces.

, . . , autodetect, . Autodetect .

, SSH, .

, .

? ,

, . ( 107) .107

Sniff . Sniff , . ID

1. ID, ID , .

2. , , Media .

3. Mgmt , Management Server.

Next , . . Management Server ( 109).

1. Add .

, . ID ( 107).

(management interface) , Management Center. Management Center.

1

108

2. . 11 Intel

? , ,

ID .

Management Server Prepare for Management Contact. USB flash , . Management Server , , . 109

Management Server, . , , Management Server .

(. 127), .

? IP DHCP,

Obtain Node IP address from a DHCP server . Management Server ( 110).

IP PPPoE, Use PPPoE . PPPoE.

, Use Modem . . ( 110).

IP , Enter node IP address manually IP address Netmask (!), Gateway to management ( Management Server ).

110

PPPoE1. Settings ENTER. PPPoE Settings.

2. , . 11 Intel

3. OK .

1. Settings Enter. Modem Settings.2. ,

.

3. OK . Management Server , , Management Server.

, ( 71).

1. Contact Contact at Reboot .

1

2. IP Management Server . Management Server. , Management Center . , , 111

3. () Key fingerprint, . .

4. Finish . Management Server. . connection refused, , IP Management Server . , , .

Management Server , , . ( 141), .

- , sg-reconfigure.

Management Server , Management Server , . . Management Client Unknown No Policy Installed, Connected, , Management Server .

.

? ,

( 77).

112

Expert Mode , ( ( 100)). Expert Mode , Expert Mode . Linux, .

Engin

Engin

Swap 11 Intel

, StoneGate , 11.1. , , .

1. , , y,

.2. . .3.

:

cmd.exe, reboot, halt, . init. Management Client.

.

11.1

e root A bootable Primary Linux 200 MB StoneGate Firewall engine.

e root B Primary Linux 200 MB

StoneGate Firewall engine. .

Logical Linux swap

, .

Swap StoneGate Firewall engine.

Data Logical Linux 500 MB

.

Spoo

11.1 ()

113 Expert Mode

4. , .5. Write, . , yes.6. Quit ENTER.

, StoneGate.

1. , . yes, .2. ,

, : engine root A, 1. engine root B, 2. swap, 5. data, 6. spool, 7.

3. , . yes. .

4. , , .

5. . ( 102).

l Logical Linux

.

.

114 11 Intel

:

- 117115

12

117 StoneGate. , .

: ( 118) ( 119) ( 120) ( 123) ( 126)

118

- Management Server. Management Server . , Management Client. . 12

. , . , . , . . (, ..) . , , . , . . 32- 64- . , . , 32- 64- . StoneGate . , , , Management Center . Management Center , . Management Center. (Release Notes). , . , . , . , System Status. Info, General. Info , ViewInfo.

, (Release Notes) , . http://www.stonesoft.com/en/support/technical_support_and_documents.

:1.

119

, (. ( 119)). Online Help.

2. , , CD, .iso .

1. , (. ( 120)). Online Help.

2. . , , , (. ( 123) ( 126)).

Management Server , , , , MD5 SHA-1. Windows MD5 SHA-1, . :

1. www.stonesoft.com/download/. : .zip . , USB flash .

.iso .2. , (), .3. - md5sum filename

sha1sum filename, filename - . $ md5sum sg_engine_1.0.0.1000.iso

869aecd7dc39321aa2e0cfaf7fafdb8f sg_engine_1.0.0.1000.iso

120

4. .

ZIP

-. , Stonesoft . 12

1. Management Client FileImportImport Engine Upgrades.

2. , sg_engine_version_platform.zip, Import. . Management Client.

ZIP USB flash CD-ROM-a. ISO

, CD, .iso . .iso , .

StoneGate , , StoneGate . (, 1.2.3 1.2.4), . - (, 1.2.3 1.3.0), , . ,

? , .

. ( 123), ( 126), , .

, . .

. Stonesoft. Online Help. .

? ,

One Proof Code ( 121). , 121

One Proof Code POL POS . multi-upgrade, (. Multiple Proof Codes ( 121)).

1. Stonesoft License Center: www.stonesoft.com/license/.2. (proof-of-license proof-of-serial number)

Submit. .

3. Update. .4. .

Multiple Proof Codes POL, .


, Multiple Proof Codes ( 121).

1

122

2. Licenses Firewall. .

3 12

3. , .4. Export License Info.5. ,

. .

6. ( ) Yes , multi-upgrade Stonesoft License Center -.

, Stonesoft License Center www.stonesoft.com/license/ multi-upgrade. . . License Center proof-of-license proof-of-serial number.

, Management Client. StoneGate

1. FileSystem Tools Install Licenses.

2. , .

, . , .

1. Configuration Administration. Administration Configuration.123

2. Licenses Firewall.

. , , . (ask) , Online Help.

? , Management Client,

. . ,

. ( 126).

1

2

, . . . 32- 64- .

124

1. System Status. System Status.

1 12

2. ( ) , CommandsGo Offline.

2

3. Upgrade Software.125

4. , , .

5. .

6. (Engine Upgrade version) , .

7. OK. , . , . . Abort, .

, .

, , , . , . , sg-toggle-active. boot, . . ( 133)

, . , , .

126

. , .

? , /

, , . 12

, Management Server. , . , serial . , , .

, StoneGate , .iso , Stonesoft Stonesoft.

1. , (root),

( Management Client).

2. .

, . . . 32- 64- .

? . ZIP ( 128).

, . , , .

3. reboot. , ,. .127

4. 1, ENTER, . ..

5. , ENTER, . , , . . ( 102).

6. , Management Client CommandsGo Online. sg-cluster online.

, , , . , . , sg-toggle-active. boot, . . ( 133) . , .

? , ,

, .

128

ZIP , .zip . , . . , . 12

1. , (root),

( Management Client).

2. USB flash CD .3. sg-reconfigure. .4. Upgrade ENTER.

5. , .

6. ( ) Calculate SHA1 -. - .zip .

7. OK. .8. ENTER.

. , , , . , . , sg-toggle-active. boot, . . ( 133)

-. Cancel, .

. , .

? , /

, , .129

130 12

131

:

- 133 - 141

- 149 - 155

13

133 StoneGate. Administrators Guide Online Help Management Client.

: StoneGate ( 134) ( 139)

134

StoneGate StoneGate (, SOHO ). , . Administrators Guide Online Help Management Client. 13

13.1 StoneGate

sg-bshowadd [-i F[src [dst [prot[srcp[dstp[dura] |del [-i F[src [dst [prot[srcp[dstp[dura] |idde

, (blacklist). (Access Rules).:135

lacklist [-v] [-f FILENAME] |[ILENAME] | IP_ADDRESS/MASK] IP_ADDRESS/MASK]o {tcp|udp|icmp|NUM}] ort PORT{-PORT}]ort PORT{-PORT}]tion NUM]

[ILENAME] | IP_ADDRESS/MASK] IP_ADDRESS/MASK]o {tcp|udp|icmp|NUM}] ort PORT{-PORT}]ort PORT{-PORT}]tion NUM]

l NODE_ID ID |

show : engine node ID | blacklist entry ID | (internal) | entry creation time | (internal) | address and port match | originally set duration | (internal) | (internal). -f, , (/data/blacklist/db_). -v .add . (. ) -i, .del . (. ) -i, .iddel NODE_ID ID . NODE_ID - , ID - ( show).flush ./ : . . ; .src IP_ADDRESS/MASK IP . IP .dst IP_ADDRESS/MASK IP . IP .proto {tcp|udp|icmp|NUM} . IP .srcport PORT[-PORT] TCP/UDP . .dstport PORT[-PORT] TCP/UDP . .

:sg-blacklist add src 192.168.0.2/32 proto tcp dstport 80 duration 60 sg-blacklist add -i myblacklist.txt sg-blacklist del dst 192.168.1.0/24 proto 47

136

sg-bootconfig[--primary-cons

PORT[--se[tty0[--fl[--in[--cr[--ap[--heappl

.--primary-console=tty0|ttyS PORT,SPEED .--secondary-console= [tty0|ttyS PORT,SPEED]

sg-c

sg-c[stat[onli[lock[offl[lock[stan[safe

sg-c

13.1 StoneGate () 13

ole=tty0|ttyS ,SPEED]condary-console= |ttyS PORT,SPEED]]avor=up|smp]itrd=yes|no]ashdump=yes|no|Y@X]pend=kernel options]lp]y

.--flavor=up|smp [-kdb] .--initrd=yes|no , Ramdisk .--crashdump=yes|no|Y@X , (Y). 24M. X 16M.--append=kernel options , .--help .apply .

lear-all

, StoneGate . . , .

lusterus [-c SECONDS]]ne]-online]ine]-offline]dby]-offline]

.status [-c SECONDS] . -c SECONDS, .online .lock-online , .offline .lock-offline , .standby .safe-offline , - .

ontact-mgmt

Management Server, (. sg-reconfigure). Management Server , .

sg-ipsec -d[-u |-s

138

sg-reconfigure[--boot][--maybe-contact][--no-shutdown]

.--boot . , .--maybe-contact Management Server, .

sg-s

sg-s

--fo

sg-u

sg-v


.

elftest [-d] [-h] .-d .-h .

tatus [-l] [-h]

.-l .-h .

rce [--debug]

. . , , . , . . , /var/run/stonegate (ls-l /var/run/stonegate. SHA1 SIZE , , . , - - sg_engine_[version.build]_i386.zip file.--debug .--force .

pgrade CD-ROM. , Management Client.

ersion .

sginfo[-f] [

, Stonesoft support, . , Stonesoft support .-f sgInfo , .


Linux, StoneGate. Ctrl+c.

-d] [-s] [-p] [--] [--help]-d sgInfo.-s slapcat sgInfo.-p sgInfo ( ). sgInfo .--help .

13.2

dmesg . -h, .halt .ip

ping ICMP . , . ps .

reboot . , . , .

scp . , .

sftp FTP ( ). , .

ssh SSH ( ). , .

tcpdump . -h, .

140

top

traceroute . , .

vpninfo VPN. ,

13.2 () 13

.

14

141 StoneGate , StoneGate .

: Management Center ( 142) /VPN ( 144)

142

Management Center , Management Center (SMC) SMC . 14.1. 14.1 SMC

LDAP-

DNS-

LDAP 14

, SMC . . . SMC , .

Stonesoft RADIUS-

TCP:443

TCP:389

UDP:1812

Management Server

Management Server

Log Server

Web Portal Server

TCP:8902-8913

89168917

+ 3021 (

)

TCP:302089168917

TCP:89038907

TCP:8902-8913

UDP:161

TCP, UDP:162/5162514/5514

Win/Linux)

14.1 Management Center /

53/UDP, 53 TCPManagement Client, Management Server, Log Server

DNS. DNS (UDP)

- 389/TCP Management Server LDAP / Management Client.

LDAP (TCP)

Log Server162/UDP,5162/UDP

SNMPv1 . Windows 162, Linux 5162.

SNMP (UDP)

Log S

Log S

Log S

Log S

ManaServe

ManaServe

ManaServe

RADI

ManaServe

Stone

14.1 Management Center ()

/

143 Management Center

erver

514/TCP, 514/UDP, 5514/TCP, 5514/UDP

Syslog . 514 Windows, 5514 Linux.

Syslog (UDP)[Partial match]

erver 3020/TCP Log Server, Web Portal Server . SG Log

erver 8914-8918/TCPManagement Client . SG Data Browsing

erver 8916-8917/TCP Web Portal Server .SG Data Browsing (Web Portal Server)

gement r 3021/TCP

Log Server, Web Portal Server

/ .

SG Log Initial Contact

gement r

8902-8913/TCP

Management Client, Log Server, Web Portal Server

. SG Control

161/UDP Log Server SNMP IP . SNMP (UDP)

gement r

8903, 8907/TCP

Management Server

(pull) Management Server. SG Control

US- 1812/UDP

Management Server

RADIUS . RADIUS .

RADIUS (Authentication)

gement r

8902- 8913/TCP

Management Server

(push) Management Server. SG Control

soft 443/TCP

Management Server

, , update.stonesoft.com smc.stonesoft.com.

HTTPS

144

Syslog-

514/UDP, , 5514/UDP Log Server

syslog-. LogServerConfiguration.txt.

Syslog (UDP)[Partial match]

14.1 Management Center ()

/

14

/VPN , /VPN SMC . 14.2, /VPN 14.3 SOHO. .15 /VPN

.16 SOHO

Log Server

Management Server

TCP:

3020

TCP:636495049878888

none*TCP:302130238906*

* node-initiated contact.

TCP:300230033010

UDP:30003001

Multicast( )

TCP:89228924

UDP:123

TCP:8923

NTP Time Log Server

Management Server

SOHO

.17 /VPN

DNS-LDAP- RADIUS-

TACACS+

RPC-

TCP:389636

UDP:18121645

TCP, UDP:

TCP:49

Brigh

DHCP

DNS-145 /VPN

, /VPN StoneGate . . .

DHCP- SNMP-

VPN VPN

UDP:500

27464500

UDP:68

UDP:161UDP:

67UDP:162

TCP, UDP:

UDP:7777

UDP:5004500

UDP:500

27464500

14.2 Firewall/VPN

/

80/TCP . HTTP

tCloud- 2316/TCP

BrightCloud.

BrightCloud update

- 67/UDP

DHCP- , IP .

BOOTPS (UDP)

53/UDP, 53/TCP DNS. DNS (TCP)

146

67/UDP

DHCP . BOOTPS (UDP)

68/UDP DHCP- DHCP. BOOTPC (UDP)

LDAP

Log S

14.2 Firewall/VPN ()

/

14

161/UDP SNMP- SNMP . SNMP (UDP)

500/UDP VPN , VPN VPN , VPN . ISAKMP (UDP)

636/TCP Management Server . LDAPS (TCP)

2543/TCP (Telnet) .SG User Authentication

2746/UDP StoneGate VPN

UDP VPN .

SG UDP Encapsulation

3000-3001/UDP 3002-3003, 3010/TCP

/VPN

.

SG State Sync (Multicast), SG State Sync (Unicast), SG Data Sync

4500/UDP VPN , VPN VPN , NAT-traversal. NAT-T

4950/TCP Management Server .SG Remote Upgrade

4987/TCP Management Server Management Server. SG Commands

8888/TCP Management Server ; , , .

SG Monitoring

15000/TCPManagement Server,

. SG Blacklisting

- 389/TCP LDAP , StartTLS. LDAP (TCP)

erver 3020/TCP ; , , , .

SG Log

Management Server 3021/TCP

/ ( ).

SG Initial Contact

Management Serve

SG Reverse

ManaServe

RADI

RPC-

SNMTACA

VPN

14.2 Firewall/VPN ()

/

SOHO

ManaServe147 /VPN

r 3023/TCP (). Monitoring

gement r 8906/TCP

, node-initiated contact.

SG Dynamic Control

US-

1812, 1645/UDP

RADIUS.

RADIUS (Authentication), RADIUS (Old)

111/UDP, 111/TCP RPC .

SUNRPC (UDP), Sun RPC (TCP)

7777/UDP .

SG Server Pool Monitoring

P- 162/UDP

SNMP . SNMP Trap (UDP)

CS+ 49/TCP

TACACS+. TACACS (TCP)

500/UDP, 2746/UDP ( StoneGate), 4500 UDP.

VPN . 2746 4500 .

ISAKMP (UDP)

14.3 SOHO

/

500/UDP VPN IKE (Internet Key Exchange) IPsec. ISAKMP (UDP)

gement r 8922/TCP

SOHO

Management Server. SG SOHO Control

148

Management Server 8924/TCP

SOHO

/ ( ).

SG SOHO Initial Contact

NTP-

RADI

14.3 SOHO ()

/

14

123/UDP SOHO . NTP (UDP)

US- 1812/UDP

SOHO RADIUS.

RADIUS (Authentication)

15

149 , StoneGate , : .

: ( 150) ( 151) Management Center ( 152) ( 152)

150

. , . : 1 2. . 15.1

ISP

21

17

(.

CV.1 15

1

A

2

Management Server

(DMZ)

ISP

172.16.1.0/24

192.168.1.0/24

129.40.1.254/24

.1 .2

.22

2.20.1.254/24

2.17.1.0/24

10.42.1.0/24

.101

.102

Log Server

(VLAN 17) (VLAN 16)

21 .22)

.21 .21

.1

.22

(.21 .22)

.1

I

.1

.2 .2

.1

.1 .1

CVI .1CVI

.1

. 15.1

151

. CVI: CVI .NDI: 10.42.1.1 ( 1) 10.42.1.2 ( 2).

(DMZ)

Management Server Log Server .CVI: 192.168.10.1.NDI: 192.168.10.21 ( 1) and 192.168.10.22 ( 2).

- ISP A

. - ISP A.CVI: 212.20.1.254.NDI: 212.20.1.21 ( 1) and 212.20.1.22 ( 2).Next hop : 212.20.1.1.

- ISP

. - ISP .CVI: 129.40.1.254.NDI: 129.40.1.21 ( 1) and 129.40.1.22 ( 2).Next hop : 129.40.1.1.

VLAN (VLAN ID 16) VLAN .CVI: 172.16.1.1.NDI: 172.16.1.21 ( 1) and 172.16.1.22 ( 2).

VLAN (VLAN ID 17) VLAN .CVI: 172.17.1.1.NDI: 172.17.1.21 ( 1) and 172.17.1.22 ( 2).

152

Management Center Management Server Log Server , DMZ. 15.2 Management Center

Management 15

, . 15.2

Center

Management Server

Management Server StoneGate Log Server .Management Server (DMZ) IP 192.168.1.101.

Log Server

Log Server . (DMZ) IP 192.168.1.102.

172.16.2.1/24.254

212.20.2.0/24

.1

15.3

.IP : 212.20.2.254. Next hop : 212.20.2.1.153

. IP : 172.16.2.1.

154 15

16

155

StoneGate 16.1: ID , ID ( VLAN ID, VLAN)

CVI, CVI Interface ID ( ) NDI, NDI ( ). Interface ID, CVI/NDI.

, , Interface ID.

IP , CVI NDI. MAC/IGMP IP , MAC , CVI Multicast IGMP, multicast IP , multicast MAC .

, , NDI , , IP .

. Management Client.

16.1 StoneGate ID

* IP MAC / IGMP IP

____

____

____

_____

CVI U M I K A _____ ._____._____.__________ ._____._____._____

MAC: ___ : ___ : ___ : ___ : ___ : ___ IGMP IP: _____ ._____._____.____

NDI H h C c D _____ ._____._____.__________ ._____._____._____

MAC: ___ : ___ : ___ : ___ : ___ : ___

_

CVI U M I K A _____ ._____._____.__________ ._____._____._____

MAC: ___ : ___ : ___ : ___ : ___ : ___ IGMP IP: _____ ._____._____.____

NDI H h C c D _____ ._____._____.__________ ._____._____._____

MAC: ___ : ___ : ___ : ___ : ___ : ___

_

CVI U M I K A _____ ._____._____.__________ ._____._____._____

MAC: ___ : ___ : ___ : ___ : ___ : ___ IGMP IP: _____ ._____._____.____

NDI H h C c D _____ ._____._____.__________ ._____._____._____

MAC: ___ : ___ : ___ : ___ : ___ : ___

_

CVI U M I K A _____ ._____._____.__________ ._____._____._____

MAC: ___ : ___ : ___ : ___ : ___ : ___ IGMP IP: _____ ._____._____.____

NDI H h C c D _____ ._____._____.__________ ._____._____._____

MAC: ___ : ___ : ___ : ___ : ___ : ___

____

CVI U M I K A_____ ._____._____._____

_____ ._____._____._____

MAC: ___ : ___ : ___ : ___ : ___ : ___ IGMP IP: _____ ._____._____.____

_ :

____

_ :

_ :

*) N

16.1 StoneGate ID

* IP MAC / IGMP IP 157

_

NDI H h C c D _____ ._____._____.__________ ._____._____._____

MAC: ___ : ___ : ___ : ___ : _____

_

CVI U M I K A _____ ._____._____.__________ ._____._____._____

MAC: ___ : ___ : ___ : ___ : _____ IGMP IP: _____ ._____._____.____

NDI H h C c D _____ ._____._____.__________ ._____._____._____

MAC: ___ : ___ : ___ : ___ : _____

CVI: U=Unicast MAC, M=Multicast MAC, I=Multicast IGMP, K= , A=IP , DI: H= , h= , C= IP , c= IP , D=IP

16.1 StoneGate ID

* IP MAC / IGMP IP

_____

CVI U M I K A _____ ._____._____.__________ ._____._____._____

MAC: ___ : ___ : ___ : ___ : ___ : ___ IGMP IP: _____ ._____._____.____

NDI H h C c D _____ ._____._____.__________ ._____._____._____

MAC: ___ : ___ : ___ : ___ : ___ : ___

_____

CVI U M I K A _____ ._____._____.__________ ._____._____._____

MAC: ___ : ___ : ___ : ___ : ___ : ___ IGMP IP: _____ ._____._____.____

NDI H h C c D _____ ._____._____.__________ ._____._____._____

MAC: ___ : ___ : ___ : ___ : ___ : ___

_____

CVI U M I K A _____ ._____._____.__________ ._____._____._____

MAC: ___ : ___ : ___ : ___ : ___ : ___ IGMP IP: _____ ._____._____.____

NDI H h C c D _____ ._____._____.__________ ._____._____._____

MAC: ___ : ___ : ___ : ___ : ___ : ___

_____

CVI U M I K A _____ ._____._____.__________ ._____._____._____

MAC: ___ : ___ : ___ : ___ : ___ : ___ IGMP IP: _____ ._____._____.____

NDI H h C c D _____ ._____._____.__________ ._____._____._____

MAC: ___ : ___ : ___ : ___ : ___ : ___

_____

CVI U M I K A _____ ._____._____.__________ ._____._____._____

MAC: ___ : ___ : ___ : ___ : ___ : ___ IGMP IP: _____ ._____._____.____

160 16

StoneGate :

IP

NAT Locations SMC Server

VLAN ADSL IP , VLAN, ADSL IPv4 VLAN IPv6 IP

VLAN IP IPv4 ARP-

(Default Route) NetLink Multi-Link IP (IP Address Count Limited Licenses) NAT Rule Example Ping Rule

Intel

USB flash Management Server Management Server

Expert Mode

One Proof Code Multiple Proof Codes

ZIP

/VPN

Management Center

Documents

Stone Gate Firewall