288 | Kerio Tech Firewall6 specs

Chapter 20 Logs

The ﬁrst log item is recorded upon reception of a DNS request (the DNS forwarder has not found requested DNS record in its cache). The log provides:

•DNS name from which IP address is being resolved,

•description of the packet with the corresponding DNS query (protocol, source IP address, source port, destination IP address, destination port),

•name of the line to be dialed.

Another event is logged upon a successful connection (i.e. when the line is dialed, upon authentication on a remote server, etc.).

5.On-demand dialing (response to a packet sent from the local network)

[15/Mar/2004 15:53:42]	Packet
TCP 192.168.1.3:8580	-> 212.20.100.40:80
initiated dialing of	line	"Connection"
[15/Mar/2004 15:53:53]	Line	"Connection" successfully connected

The ﬁrst record is logged when WinRoute ﬁnds out that the route of the packet does not exist in the routing table. The log provides:

•description of the packet (protocol, source IP address, destination port, destina- tion IP address, destination port),

•name of the line to be dialed.

Another event is logged upon a successful connection (i.e. when the line is dialed, upon authentication on a remote server, etc.).

6.Connection error (e.g. error at the modem was detected, dial-up was disconnected, etc.)

[15/Mar/2004 15:59:08] DNS query for "www.microsoft.com" (packet UDP 192.168.1.2:4579 -> 195.146.100.100:53) initiated dialing of line "Connection"

[15/Mar/2004 15:59:12] Line "Connection" disconnected

The ﬁrst record represents a DNS record sent from the local network, from that the line is to be dialed (see above).

The second log item (immediately after the ﬁrst one) informs that the line has been hung-up. Unlike in case of a regular disconnection, time of connection and volume of transmitted data are not provided (because the line has not been connected).

288

Image 288

Kerio Tech Firewall6 manual 15/Mar/2004 155912 Line Connection disconnected, 288

Contents

Administrator’s Guide Kerio TechnologiesPage Contents 113 Remote Administration and Update Checks 209 Kerio Clientless SSL-VPN 355 393 Quick Checklist Page Basic Features IntroductionKerio WinRoute Firewall Additional Features Kerio WinRoute Firewall Antivirus control Transparent support for Active DirectoryEmail alerts User quotas Conﬂicting software Clientless SSL-VPNCollision of low-level drivers Port collision Antivirus applications Installation InstallationSteps to be taken before the installation System requirements Installation and Basic Conﬁguration Guide Custom installation selecting optional components Protection of the installed product Conﬂicting Applications and System Services WinRoute Components WinRoute Firewall EngineWinRoute Engine Monitor Kerio Administration Console WinRoute Engine MonitorWinRoute Engine Monitor Upgrade and Uninstallation Upgrade and Uninstallation UninstallationTypically the path C\Program Files\Kerio\WinRoute Firewall Upgrade from WinRoute Pro Update CheckerSetting of administration username and password Conﬁguration Wizard Remote Access Enable remote accessRemote IP address Initial conﬁguration Allowing remote administration WinRoute Administration Administration Window WinRoute Administration Administration Window Main menuFile Help menu Administration Window Status barDetection of WinRoute Firewall Engine connection drop-out View Settings Column customization in Interfaces View Settings Product Registration and Licensing License types and number of usersLicense types optional components License types and number of users Deciding on a number of users licenses License information ProductCopyright Homepage License ID Subscription expiration dateProduct expiration date Number of users Registration of the product in the Administration Console Registration of the trial version Registration of the product in the Administration Console Trial version registration security code Trial version registration other information Registration of the purchased product Trial version registration Trial ID Product Registration and Licensing Registration of the product in the Administration Console 10 Product registration user information Update of registration information 12 Product registration summary Subscription / Update Expiration Product registration at the website Subscription / Update Expiration Bubble alerts User counter 15 The notice that the subscription has already expired User counter Start WinRouteLicense counter License release Settings for Interfaces and Network Services Network interfacesInterface IP Address and Mask Dial or Hang Up /Enebale, Disable Adapter infoAdd Modify Refresh Special interfacesDial-In VPN server Bind this interface Interface type selection Use login data from the RAS entry Use the following login dataInterface name RAS Entry Connection Dial-up demand dial Hangup if idle Advanced Connection Failover Edit Interface parameters Connection Failover Setup Enable automatic connection failoverConnection Failover Current connection Conﬁguration of primary and secondary Internet connection Primary connection Secondary connectionDial-up Use DNS Forwarder DNS Forwarder conﬁguration Enable DNS forwarding DNS ForwarderDNS forwarding Enable cache for faster response of repeated queries Enable DNS forwardingClear cache Use custom forwarding 10 Speciﬁc settings of DNS forwarding Simple DNS resolution 11 DNS forwarding a new rule Before forwarding a query Combine the name ... with DNS domain Dhcp server Dhcp server Dhcp Server ConﬁgurationDeﬁnition of Scopes and Reservations Lease time DNS serverWins server Domain Description 15 Dhcp server IP scopes deﬁnition First address, Last address Subnet maskExclusions Parameters Lease Reservations 00bca5f21e50 Bc-a5-f2-1e-50 Leases 20 Dhcp server list of leased and reserved IP addresses Dhcp server advanced options Windows RAS Proxy server Declined options Enable non-transparent proxy server Proxy serverProxy Server Conﬁguration Enable connection to any TCP port 22 Http proxy server settings Forward to parent proxy server Http//192.168.1.13128/pac/proxy.pac Enable cache on transparent proxy Enable cache on proxy serverHttp cache Http protocol TTL Http cache Cache size Memory cache size Max Http object sizeCache Options URL Speciﬁc Settings URL Cache status and administration TTL 26 Http cache administration dialog Traﬃc Policy Network Rules Wizard Network Rules Wizard InformationSelection of Internet connection type Network adapter or dial-up selection Network Policy Wizard selection of a connected adapter Internet access limitations Allow access to all services Allow access to the following services only Enabling Kerio VPN traﬃc Service is running on Service NAT Generating the rules Rules Created by the Wizard Icmp traﬃc Local Traﬃc Firewall Traﬃc How traﬃc rules work Deﬁnition of Custom Traﬃc RulesName Source, Destination 12 Traﬃc rule name, color and rule description IP range e.g Deﬁnition of Custom Traﬃc Rules Service 100 Action 101 Log 102 Translation 103 104 20 Traﬃc rule destination address translation Valid on Protocol inspector105 Basic Traﬃc Rule Types IP Translation NATSource Destination Translation Placing the rulePort mapping 107 108 Limiting Internet Access Multihoming109 110 Exclusions 111 112 How the bandwidth limiter works and how to use it Speed limits for big data volumes transmissionsBandwidth Limiter Speed limits for users with their quota exceeded Setting limit values Bandwidth Limiter conﬁgurationBandwidth Limiter 114 Services Advanced Options115 IP Addresses and Time Interval 116 Bandwidth Limiter selection of network services 117 Detection of connections with large data volume transferred 118 Detection of connections with large data volume transferred Examples119 120 User Authentication Firewall User Authentication121 User Authentication User authentication advanced options122 Firewall User Authentication Redirection to the authenticationEnable non-transparent proxy server authentication Automatic authentication Ntlm Automatically logout users when they are inactive 124 Enable Kerio SSL-VPN server Enable Web Interface HttpWeb Interface Web Interface Parameters Conﬁguration Enable secured Web Interface Https Allow access only from these IP addressesWeb Interface WinRoute server name Conﬁguration of ports of the Web Interface 127 SSL Certiﬁcate for the Web Interface Generate or Import Certiﬁcate128 129 SSL certiﬁcate of WinRoute’s Web interface Login/logout Web Interface Language PreferencesUsers logged 130 Login/logout Drdolittle@usoffice.company.com131 User password authentication Log out132 Status information and user statistics Status information and user statistics133 User preferences 134 Save settings User preferences135 10 Editing user password 136 Http protocol FTP protocol137 Conditions for Http and FTP ﬁltering URL Rules138 URL Rules 139 URL Rules Deﬁnition 140 If user accessing the URL is URL matches criteria141 Allow access to the Web site 142 Valid at time interval Valid for IP address groupValid if Mime type is Denial options WWW content scanning options Scan content for viruses according to scanning rulesDeny Web pages containing 144 Http Inspection Advanced Options 145 Global rules for Web elements Allow Html ActiveX objectsAllow Script Html tags 146 Content Rating System ISS OrangeWeb Filter Allow Html JavaScript pop-up windowsAllow applet Html tags Allow cross-domain referrer ISS OrangeWeb Filter conﬁguration 148 Enable ISS OrangeWeb Filter Categorize each page regardless of Http rulesServer ISS OrangeWeb Filter Deployment 150 ISS OrangeWeb Filter rule Web content ﬁltering by word occurrence 151 Deﬁnition of rules ﬁltering by word occurrence 152 Word groups 153 Deﬁnition of forbidden words 154 Weight FTP PolicyGroup Keyword If user accessing the FTP server is FTP Rules DeﬁnitionFTP server is 156 15 FTP Rule basic parameters Content 158 159 Antivirus control Conditions and limitations of antivirus scan160 Conditions and limitations of antivirus scan 161 How to choose and setup antiviruses Antivirus controlIntegrated McAfee 162 Check for update every ... hours Last update check performed ... agoUpdate now Current virus database is Antivirus settings External antivirus164 165 An example of a traﬃc rule for outgoing Smtp traﬃc check Http and FTP scanning Http and FTP scanning 167 Http and FTP scanning rules Condition168 Mime type 169 Email scanning 170 Email scanning 171 172 IP Address Groups Creating and Editing IP Address Groups173 Time Intervals DeﬁnitionsName Type Time range types AbsoluteWeekly Daily Time Interval Type From, ToValid at days 176 Services Services177 Protocol Protocol inspector178 Source Port and Destination Port Protocol Inspectors179 URL Groups 180 URL Groups 181 Deﬁnitions Group 182 User Accounts and Groups Internal user databaseImport of user accounts from Active Directory 183 Viewing and deﬁnitions of user accounts User Accounts and Groups184 Local user accounts Local user accounts Accounts mapped from the Active Directory domainEdit User 186 Local user accounts Creating a local user accountBasic information Full Name Authentication Account is disabledEmail Address Domain template NT domain / Kerberos Groups189 Access rights 190 No access to administration Read only access to administrationFull access to administration User can override WWW content rules Data transmission quota Transfer quota192 Content rules Quota exceed action193 User’s IP addresses 194 Editing User Account 195 Active Directory NT domain196 Automatic import of user accounts from Active Directory 197 Manual import of user accounts 198 Active Directory domains mapping Active Directory domains mappingDomain mapping requirements 199 Domain Access Single domain mappingActive Directory mapping 200 201 13 Active Directory domain mapping NT authentication support Multiple domains mapping202 203 16 Conversion of user accounts User groups User groups Deﬁnitions204 User groups Creating a new local user groupName and description of the group 205 Group access rights Read only accessGroup members 206 Users can override WWW content rules Users can connect using VPN207 Users are allowed to use P2P networks Users are allowed to view statistics208 Remote Administration and Update Checks Setting Remote AdministrationHow to allow remote administration from the Internet 209 Update Checking Remote Administration and Update Checks210 Update Checking Check for new versionsCheck also for beta versions Check now 212 Advanced security features 15.1 P2P EliminatorP2P Eliminator Conﬁguration 213 Advanced security features 214 15.1 P2P Eliminator Parameters for detection of P2P networks215 Special Security Settings 216 Special Security Settings Anti-SpooﬁngConnections Count Limit 217 VPN using IPSec Protocol EnableEnable pass-through only for hosts IPSec preferences VPN using IPSec Protocol WinRoute’s IPSec conﬁgurationIPSec client in local network 219 220 Traﬃc rule for one IPSec client in the local network IPSec server in local network 221 Other settings Routing table Routing table Route TypesStatic routes 223 Deﬁnitions of Dynamic and Static Rules Network, Network MaskGateway Metric Demand Dial Demand DialRemoving routes from the Routing Table How demand dial works 226 Technical Peculiarities and Limitations 227 Setting Rules for Demand Dial 228 Dial of local DNS names 229 Enable UPnP Port mapping timeoutUniversal Plug-and-Play UPnP Conﬁguration of the UPnP support Relay Smtp server Relay Smtp serverLog packets Log connections Smtp requires authentication Specify sender email address in From headerTest 232 233 Status Information Active hosts and connected users234 Login time Login durationHostname User Active Hosts dialog options Detailed information on a selected host and user Traﬃc information 238 Activity Description Connections239 Source, Destination 240 Histogram 241 Show connections related to the selected process 242 Show connections related to the selected process 243 Options of the Connections Dialog Kill connection244 Color Settings Font ColorBackground Color 245 Alerts Settings Alerts246 Alerts Alert247 Alert Templates 248 \Program Files\Kerio\WinRoute Firewall\templates by default Alerts overview in Administration Console249 250 13 Details of a selected event Basic statistics Interface statistics251 Reset interface statistics Basic statisticsInterface Statistics menu 252 Interface statistics Remove interface statisticsGraphical view of interface load 253 User Statistics data volumes and quotas 254 User Statistics data volumes and quotas User Statistics dialog options255 Reset user statistics Remove user statisticsView host 256 Kerio StaR statistics and reporting Monitoring and storage of statistic data257 Settings for statistics and quota Kerio StaR statistics and reportingRequirements of the statistics 258 Settings for statistics and quota Enable/disable gathering of statistic dataAdvanced settings for statistics 259 Statistics and quota restrictions 260 Accessing the statistics from the WinRoute host Remote access to the statisticsConnection to StaR and viewing statistics Statistics and quota accounting periods StaR page in the web interface 262 Accounting period 263 264 Custom accounting period Overall View Overall View265 Top Requested Web Categories Top 5 users266 Used Protocol 267 268 User statistics User statistics269 Users by Traﬃc 13 The Users by Traﬃc table Top Visited Websites Top Visited Websites Top Requested Web Categories 272 273 16 Top visited websites sorted by categories 274 Log settings LogsFilename.log 275 File Logging 276 Log settings Syslog Logging277 Logs Context Menu Logs Context Menu FindHighlighting Select font Logs Encoding Log debugClear log Log highlighting Log highlighting settings Debug log advanced settings 282 Alert Log Alert Log 20.4 Conﬁg Log Logs284 Connection Log Connection Log285 Debug Log Dial Log286 Page 15/Mar/2004 155912 Line Connection disconnected 288 Error Log Error Log289 ’McAfee update’ rule name Filter Log290 Http log Http log291 1058444114.733 0 192.168.64.64 TCPMISS/304 292 Security Log Security Log293 Authentication service Client IP address reason 294 Sslvpn Log Sslvpn Log17/Dec/2004 121133 Engine Startup 17/Dec/2004 122243 Engine Shutdown Web Log 24/Apr/2003 102951 192.168.44.128 james Web Log 297 Kerio VPN 298 VPN Server Conﬁguration 299 Enable VPN server Kerio VPNGeneral IP address assignment SSL certiﬁcate 301 Advanced Listen on port302 Custom Routes 303 21.2 Conﬁguration of VPN clients Basic conﬁguration of traﬃc rules for VPN clients304 Setting up VPN servers Deﬁnition of a tunnel to a remote serverName of the tunnel 305 Conﬁguration 306 Conﬁguration of a remote end of the tunnel 307 DNS Settings Routing settings308 Connection establishment 309 Traﬃc Policy Settings for VPN 310 Exchange of routing information Exchange of routing informationRouting conﬁguration options 311 Update of routing tables Routes provided automatically312 Example of Kerio VPN conﬁguration company with a ﬁlial oﬃce Speciﬁcation313 Common method 314 315 Headquarters conﬁguration 316 14 Headquarter creating default traﬃc rules for Kerio VPN 317 318 16 Headquarter DNS forwarder conﬁguration 319 320 19 Headquarters VPN server conﬁguration LAN 321 Conﬁguration of a ﬁlial oﬃce 322 24 Filial oﬃce default traﬃc rules for Kerio VPN 323 324 25 Filial oﬃce DNS forwarder conﬁguration 325 326 28 Filial oﬃce VPN server conﬁguration 327 29 Filial oﬃce deﬁnition of VPN tunnel for the headquarters Example of a more complex Kerio VPN conﬁguration VPN test328 Common method 329 330 331 33 Headquarter creating default traﬃc rules for Kerio VPN 332 333 35 Headquarter DNS forwarder conﬁguration Kerio VPN 335 38 Headquarters VPN server conﬁguration 336 39 Headquarter deﬁnition of VPN tunnel for the London ﬁlial 337 338 339 43 Headquarter ﬁnal traﬃc rules Conﬁguration of the London ﬁlial 340 46 The London ﬁlial oﬃce default traﬃc rules for Kerio VPN 341 48 The London ﬁlial oﬃce DNS forwarding settings 342 343 344 345 346 54 The London ﬁlial oﬃce ﬁnal traﬃc rules Conﬁguration of the Paris ﬁlial 347 348 57 The Paris ﬁlial oﬃce DNS forwarder conﬁguration 349 59 The Paris ﬁlial oﬃce VPN server conﬁguration 350 351 352 353 64 The Paris ﬁlial oﬃce ﬁnal traﬃc rules 354 Kerio Clientless SSL-VPN 22.1 Conﬁguration of WinRoute’s SSL-VPNSSL-VPN conﬁguration 355 Allowing access from the Internet Kerio Clientless SSL-VPN356 Usage of the SSL-VPN interface Usage of the SSL-VPN interfaceHttps//server Https//server12345 Sidneywashington@usoffice.company.com Handling ﬁles and folders358 \\server\folder\subfolder Antivirus controlBookmarks 359 Troubleshooting Detection of incorrect conﬁguration of the default gateway360 23.2 Conﬁguration Backup and Transfer Sslcert LicenseCache.CFS Dnscache.cfg Handling conﬁguration ﬁles Conﬁguration backup recovery Star363 List name=Interfaces Automatic user authentication using Ntlm General conditions365 WinRoute Conﬁguration 366 Automatic user authentication using Ntlm Ntlm authentication processWeb browsers Microsoft Internet Explorer Firefox/Netscape/Mozilla/SeaMonkey Firefox/Netscape/Mozilla/SeaMonkey conﬁguration368 Partial Retirement of Protocol Inspector Partial Retirement of Protocol Inspector369 How to enable certain users to access the Internet User accounts and groups in traﬃc rules370 Enabling automatic authentication 371 FTP on WinRoute’s proxy server Example of a client conﬁguration web browser372 Example of a client conﬁguration Total Commander FTP on WinRoute’s proxy server373 12 Setting proxy server for FTP in Total Commander 374 Network Load Balancing Basic Information and System RequirementsNetwork Conﬁguration 375 Network Load Balancing 376 24.3 Conﬁguration of the servers in the cluster NLB conﬁguration for Server1377 378 Server 1 cluster parameters NLB conﬁguration for Server2 379 Technical support Essential InformationDescription 380 Error Log Files Tested in Beta versionInformational File License type and license number Contacts United KingdomCzech Republic Legal Presumption Used open-source libraries LibiconvOpenSSL 384 Prototype Copyright 2005 Sam StephensonZlib 385 Default gateway Glossary of termsActiveX Cluster Firewall Greylisting387 Glossary of terms IP address IPSecKerberos 388 Network adapter P2P networkPacket Port Glossary of terms Proxy serverRouting table Script Spooﬁng 391 TCP/IP 392 Index 393 Index 394 Ntlm 395 VPN 396 133 397