Notes:

The -coption performs the same function as Check Screening Rules form (Figure 54), so this option is not available on the Set Options form.

The -doption is also not available on the Set Options form. If you want to use the -doption to debug FireScreen, you must set this option on the command line.

Setting the Screening Mode

To set the screening mode for FireScreen, follow these steps:

1.From the Configure FireScreen menu, choose Set Screening Mode. Figure 51 shows the Set Screening Mode form.

Figure 51 Set FireScreen Screening Mode Form

The settings on this form vary, depending on whether screening mode is enabled or disabled.

2.To change the screening mode or boot-time screening mode, click on the appropriate checkbox.

3.Click on Submit.

As long as screening mode is enabled, your system is protected from unauthorized access.

Adding a Screening Rule

Screening rules determine which IP packets are allowed to pass through the gateway to your network and which packets are to be rejected. By default, all IP packets are rejected.

You can add screening rules to the FireScreen configuration file to allow certain packets to be passed to your network. Screening rules are not checked for correct syntax at the time you add them; you must use the Check Screening Rules option on the Configure FireScreen menu to verify that the syntax of screening rules is correct.

FireScreen searches screening rules in the order that the rules appear in the FireScreen configuration file, from first to last. Because action is taken on each packet as soon as a matching rule is found, place specific rules before general rules. If no matching rule is found, the action specified by the default rule is taken. The FireScreen Administration utility forces the default rule to be the last rule in the configuration file; you cannot add screening rules after the default rule.

If the FireScreen configuration file contains conflicting screening rules, the IP packet is accepted or rejected based on the first rule encountered in the file that applies to that packet.

You can also delete screening rules from the FireScreen configuration file.

You must restart FireScreen for screening rule changes to take effect (Section : Starting and Stopping FireScreen).

Before setting up your firewall using FireScreen Administration, you should read the following technical report on implementing TCP/IP security policies:

http://www.research.compaq.com/nsl/publications/TN-2.html#TN-2

178 Network Security Administration