Filter Log, ’McAfee update’ rule name, 290 | Kerio Tech Firewall6

Chapter 20 Logs

•8400-8499— dial-up error (unable to read deﬁned dial-up connections, line conﬁgu- ration error, etc.)

•8500-8599— LDAP errors (server not found, login failed, etc.)

Note: If you are not able to correct an error (or ﬁgure out what it is caused by) which is repeatedly reported in the Error log, do not hesitate to contact our technical support. For detailed information, refer to chapter 25 or to http://www.kerio.com/.

20.9 Filter Log

This log contains information about web pages and objects blocked by the HTTP and FTP ﬁlters (see chapters 10.2 and 10.6) and about packets blocked by traﬃc rules if packet logging is enabled for the particular rule (see chapter 6 for more information). Each log line includes the following information depending on the component which generated the log:

•when an HTTP or FTP rule is applied: rule name, user, IP address of the host which sent the request, object’s URL

•when a traﬃc rule is applied: detailed information about the packet that matches the rule (rule name, source and destination address, ports, size, etc.)

Example of a URL rule log message:

[18/Apr/2003 13:39:45] ALLOW URL ’McAfee update’ 192.168.64.142 james HTTP GET http://update.kerio.com/nai-antivirus/datfiles/4.x/dat-4258.zip

•[18/Apr/2003 13:39:45] — date and time when the event was logged

•ALLOW — action that was executed (ALLOW = access allowed, DENY = access denied)

•URL — rule type (for URL or FTP)

•’McAfee update’ — rule name

•192.168.64.142 — IP address of the client

•jsmith — name of the user authenticated on the ﬁrewall (no name is listed unless at least one user is logged in from the particular host)

•HTTP GET — HTTP method used in the request

•http:// ... — requested URL

290

Image 290

Kerio Tech Firewall6 manual Filter Log, ’McAfee update’ rule name, 290

Contents

Administrator’s Guide Kerio TechnologiesPage Contents 113 Remote Administration and Update Checks 209 Kerio Clientless SSL-VPN 355 393 Quick Checklist Page Kerio WinRoute Firewall Basic FeaturesIntroduction Additional Features Kerio WinRoute Firewall Email alerts Antivirus controlTransparent support for Active Directory User quotas Collision of low-level drivers Conﬂicting softwareClientless SSL-VPN Port collision Antivirus applications Steps to be taken before the installation InstallationInstallation System requirements Installation and Basic Conﬁguration Guide Custom installation selecting optional components Protection of the installed product Conﬂicting Applications and System Services WinRoute Engine Monitor WinRoute ComponentsWinRoute Firewall Engine WinRoute Engine Monitor Kerio Administration ConsoleWinRoute Engine Monitor Upgrade and Uninstallation Typically the path C\Program Files\Kerio\WinRoute Firewall Upgrade and UninstallationUninstallation Setting of administration username and password Upgrade from WinRoute ProUpdate Checker Conﬁguration Wizard Remote IP address Remote AccessEnable remote access Initial conﬁguration Allowing remote administration WinRoute Administration Administration Window File WinRoute AdministrationAdministration Window Main menu Help menu Detection of WinRoute Firewall Engine connection drop-out Administration WindowStatus bar View Settings Column customization in Interfaces View Settings License types optional components Product Registration and LicensingLicense types and number of users License types and number of users Deciding on a number of users licenses Copyright License informationProduct Homepage Product expiration date License IDSubscription expiration date Number of users Registration of the product in the Administration Console Registration of the trial version Registration of the product in the Administration Console Trial version registration security code Trial version registration other information Registration of the purchased product Trial version registration Trial ID Product Registration and Licensing Registration of the product in the Administration Console 10 Product registration user information Update of registration information 12 Product registration summary Subscription / Update Expiration Product registration at the website Subscription / Update Expiration Bubble alerts User counter 15 The notice that the subscription has already expired License counter User counterStart WinRoute License release Interface Settings for Interfaces and Network ServicesNetwork interfaces IP Address and Mask Add Dial or Hang Up /Enebale, DisableAdapter info Modify Dial-In RefreshSpecial interfaces VPN server Bind this interface Interface type selection Interface name Use login data from the RAS entryUse the following login data RAS Entry Connection Dial-up demand dial Hangup if idle Advanced Connection Failover Edit Interface parameters Connection Failover Connection Failover SetupEnable automatic connection failover Current connection Conﬁguration of primary and secondary Internet connection Dial-up Use Primary connectionSecondary connection DNS Forwarder DNS Forwarder conﬁguration DNS forwarding Enable DNS forwardingDNS Forwarder Clear cache Enable cache for faster response of repeated queriesEnable DNS forwarding Use custom forwarding 10 Speciﬁc settings of DNS forwarding Simple DNS resolution 11 DNS forwarding a new rule Before forwarding a query Combine the name ... with DNS domain Dhcp server Deﬁnition of Scopes and Reservations Dhcp serverDhcp Server Conﬁguration Wins server Lease timeDNS server Domain Description 15 Dhcp server IP scopes deﬁnition Exclusions First address, Last addressSubnet mask Parameters Lease Reservations 00bca5f21e50 Bc-a5-f2-1e-50 Leases 20 Dhcp server list of leased and reserved IP addresses Dhcp server advanced options Windows RAS Proxy server Declined options Proxy Server Conﬁguration Enable non-transparent proxy serverProxy server Enable connection to any TCP port 22 Http proxy server settings Forward to parent proxy server Http//192.168.1.13128/pac/proxy.pac Http cache Enable cache on transparent proxyEnable cache on proxy server Http protocol TTL Http cache Cache size Cache Options Memory cache sizeMax Http object size URL Speciﬁc Settings URL Cache status and administration TTL 26 Http cache administration dialog Traﬃc Policy Network Rules Wizard Selection of Internet connection type Network Rules WizardInformation Network adapter or dial-up selection Network Policy Wizard selection of a connected adapter Internet access limitations Allow access to all services Allow access to the following services only Enabling Kerio VPN traﬃc Service is running on Service NAT Generating the rules Rules Created by the Wizard Icmp traﬃc Local Traﬃc Firewall Traﬃc Name How traﬃc rules workDeﬁnition of Custom Traﬃc Rules Source, Destination 12 Traﬃc rule name, color and rule description IP range e.g Deﬁnition of Custom Traﬃc Rules Service 100 Action 101 Log 102 Translation 103 104 20 Traﬃc rule destination address translation 105 Valid onProtocol inspector Source Basic Traﬃc Rule TypesIP Translation NAT Destination Port mapping TranslationPlacing the rule 107 108 109 Limiting Internet AccessMultihoming 110 Exclusions 111 112 Bandwidth Limiter How the bandwidth limiter works and how to use itSpeed limits for big data volumes transmissions Speed limits for users with their quota exceeded Bandwidth Limiter Setting limit valuesBandwidth Limiter conﬁguration 114 115 ServicesAdvanced Options IP Addresses and Time Interval 116 Bandwidth Limiter selection of network services 117 Detection of connections with large data volume transferred 118 119 Detection of connections with large data volume transferredExamples 120 121 User AuthenticationFirewall User Authentication 122 User AuthenticationUser authentication advanced options Enable non-transparent proxy server authentication Firewall User AuthenticationRedirection to the authentication Automatic authentication Ntlm Automatically logout users when they are inactive 124 Web Interface Enable Kerio SSL-VPN serverEnable Web Interface Http Web Interface Parameters Conﬁguration Web Interface Enable secured Web Interface HttpsAllow access only from these IP addresses WinRoute server name Conﬁguration of ports of the Web Interface 127 128 SSL Certiﬁcate for the Web InterfaceGenerate or Import Certiﬁcate 129 SSL certiﬁcate of WinRoute’s Web interface Users logged Login/logoutWeb Interface Language Preferences 130 131 Login/logoutDrdolittle@usoffice.company.com 132 User password authenticationLog out 133 Status information and user statisticsStatus information and user statistics User preferences 134 135 Save settingsUser preferences 10 Editing user password 136 137 Http protocolFTP protocol 138 Conditions for Http and FTP ﬁlteringURL Rules URL Rules 139 URL Rules Deﬁnition 140 141 If user accessing the URL isURL matches criteria Allow access to the Web site 142 Valid if Mime type is Valid at time intervalValid for IP address group Denial options Deny Web pages containing WWW content scanning optionsScan content for viruses according to scanning rules 144 Http Inspection Advanced Options 145 Allow Script Html tags Global rules for Web elementsAllow Html ActiveX objects 146 Allow applet Html tags Content Rating System ISS OrangeWeb FilterAllow Html JavaScript pop-up windows Allow cross-domain referrer ISS OrangeWeb Filter conﬁguration 148 Server Enable ISS OrangeWeb FilterCategorize each page regardless of Http rules ISS OrangeWeb Filter Deployment 150 ISS OrangeWeb Filter rule Web content ﬁltering by word occurrence 151 Deﬁnition of rules ﬁltering by word occurrence 152 Word groups 153 Deﬁnition of forbidden words 154 Group WeightFTP Policy Keyword FTP server is If user accessing the FTP server isFTP Rules Deﬁnition 156 15 FTP Rule basic parameters Content 158 159 160 Antivirus controlConditions and limitations of antivirus scan Conditions and limitations of antivirus scan 161 Integrated McAfee How to choose and setup antivirusesAntivirus control 162 Update now Check for update every ... hoursLast update check performed ... ago Current virus database is 164 Antivirus settingsExternal antivirus 165 An example of a traﬃc rule for outgoing Smtp traﬃc check Http and FTP scanning Http and FTP scanning 167 168 Http and FTP scanning rulesCondition Mime type 169 Email scanning 170 Email scanning 171 172 173 IP Address GroupsCreating and Editing IP Address Groups Name Time IntervalsDeﬁnitions Type Weekly Time range typesAbsolute Daily Valid at days Time Interval TypeFrom, To 176 177 ServicesServices 178 ProtocolProtocol inspector 179 Source Port and Destination PortProtocol Inspectors URL Groups 180 URL Groups 181 Deﬁnitions Group 182 Import of user accounts from Active Directory User Accounts and GroupsInternal user database 183 184 Viewing and deﬁnitions of user accountsUser Accounts and Groups Local user accounts Edit User Local user accountsAccounts mapped from the Active Directory domain 186 Basic information Local user accountsCreating a local user account Full Name Email Address AuthenticationAccount is disabled Domain template 189 NT domain / KerberosGroups Access rights 190 Full access to administration No access to administrationRead only access to administration User can override WWW content rules 192 Data transmission quotaTransfer quota 193 Content rulesQuota exceed action User’s IP addresses 194 Editing User Account 195 196 Active DirectoryNT domain Automatic import of user accounts from Active Directory 197 Manual import of user accounts 198 Domain mapping requirements Active Directory domains mappingActive Directory domains mapping 199 Active Directory mapping Domain AccessSingle domain mapping 200 201 13 Active Directory domain mapping 202 NT authentication supportMultiple domains mapping 203 16 Conversion of user accounts 204 User groupsUser groups Deﬁnitions Name and description of the group User groupsCreating a new local user group 205 Group members Group access rightsRead only access 206 207 Users can override WWW content rulesUsers can connect using VPN 208 Users are allowed to use P2P networksUsers are allowed to view statistics How to allow remote administration from the Internet Remote Administration and Update ChecksSetting Remote Administration 209 210 Update CheckingRemote Administration and Update Checks Check also for beta versions Update CheckingCheck for new versions Check now 212 P2P Eliminator Conﬁguration Advanced security features15.1 P2P Eliminator 213 Advanced security features 214 215 15.1 P2P EliminatorParameters for detection of P2P networks Special Security Settings 216 Connections Count Limit Special Security SettingsAnti-Spooﬁng 217 Enable pass-through only for hosts VPN using IPSec ProtocolEnable IPSec preferences IPSec client in local network VPN using IPSec ProtocolWinRoute’s IPSec conﬁguration 219 220 Traﬃc rule for one IPSec client in the local network IPSec server in local network 221 Other settings Routing table Static routes Routing tableRoute Types 223 Gateway Deﬁnitions of Dynamic and Static RulesNetwork, Network Mask Metric Removing routes from the Routing Table Demand DialDemand Dial How demand dial works 226 Technical Peculiarities and Limitations 227 Setting Rules for Demand Dial 228 Dial of local DNS names 229 Universal Plug-and-Play UPnP Enable UPnPPort mapping timeout Conﬁguration of the UPnP support Log packets Relay Smtp serverRelay Smtp server Log connections Test Smtp requires authenticationSpecify sender email address in From header 232 233 234 Status InformationActive hosts and connected users Hostname Login timeLogin duration User Active Hosts dialog options Detailed information on a selected host and user Traﬃc information 238 239 Activity DescriptionConnections Source, Destination 240 Histogram 241 Show connections related to the selected process 242 Show connections related to the selected process 243 244 Options of the Connections DialogKill connection Background Color Color SettingsFont Color 245 246 Alerts SettingsAlerts 247 AlertsAlert Alert Templates 248 249 \Program Files\Kerio\WinRoute Firewall\templates by defaultAlerts overview in Administration Console 250 13 Details of a selected event 251 Basic statisticsInterface statistics Interface Statistics menu Reset interface statisticsBasic statistics 252 Graphical view of interface load Interface statisticsRemove interface statistics 253 User Statistics data volumes and quotas 254 255 User Statistics data volumes and quotasUser Statistics dialog options View host Reset user statisticsRemove user statistics 256 257 Kerio StaR statistics and reportingMonitoring and storage of statistic data Requirements of the statistics Settings for statistics and quotaKerio StaR statistics and reporting 258 Advanced settings for statistics Settings for statistics and quotaEnable/disable gathering of statistic data 259 Statistics and quota restrictions 260 Connection to StaR and viewing statistics Accessing the statistics from the WinRoute hostRemote access to the statistics Statistics and quota accounting periods StaR page in the web interface 262 Accounting period 263 264 Custom accounting period 265 Overall ViewOverall View 266 Top Requested Web CategoriesTop 5 users Used Protocol 267 268 269 User statisticsUser statistics Users by Traﬃc 13 The Users by Traﬃc table Top Visited Websites Top Visited Websites Top Requested Web Categories 272 273 16 Top visited websites sorted by categories 274 Filename.log Log settingsLogs 275 File Logging 276 277 Log settingsSyslog Logging Logs Context Menu Highlighting Logs Context MenuFind Select font Clear log Logs EncodingLog debug Log highlighting Log highlighting settings Debug log advanced settings 282 Alert Log Alert Log 284 20.4 Conﬁg LogLogs 285 Connection LogConnection Log 286 Debug LogDial Log Page 15/Mar/2004 155912 Line Connection disconnected 288 289 Error LogError Log 290 ’McAfee update’ rule nameFilter Log 291 Http logHttp log 1058444114.733 0 192.168.64.64 TCPMISS/304 292 293 Security LogSecurity Log Authentication service Client IP address reason 294 17/Dec/2004 121133 Engine Startup Sslvpn LogSslvpn Log 17/Dec/2004 122243 Engine Shutdown Web Log 24/Apr/2003 102951 192.168.44.128 james Web Log 297 Kerio VPN 298 VPN Server Conﬁguration 299 General Enable VPN serverKerio VPN IP address assignment SSL certiﬁcate 301 302 AdvancedListen on port Custom Routes 303 304 21.2 Conﬁguration of VPN clientsBasic conﬁguration of traﬃc rules for VPN clients Name of the tunnel Setting up VPN serversDeﬁnition of a tunnel to a remote server 305 Conﬁguration 306 Conﬁguration of a remote end of the tunnel 307 308 DNS SettingsRouting settings Connection establishment 309 Traﬃc Policy Settings for VPN 310 Routing conﬁguration options Exchange of routing informationExchange of routing information 311 312 Update of routing tablesRoutes provided automatically 313 Example of Kerio VPN conﬁguration company with a ﬁlial oﬃceSpeciﬁcation Common method 314 315 Headquarters conﬁguration 316 14 Headquarter creating default traﬃc rules for Kerio VPN 317 318 16 Headquarter DNS forwarder conﬁguration 319 320 19 Headquarters VPN server conﬁguration LAN 321 Conﬁguration of a ﬁlial oﬃce 322 24 Filial oﬃce default traﬃc rules for Kerio VPN 323 324 25 Filial oﬃce DNS forwarder conﬁguration 325 326 28 Filial oﬃce VPN server conﬁguration 327 29 Filial oﬃce deﬁnition of VPN tunnel for the headquarters 328 Example of a more complex Kerio VPN conﬁgurationVPN test Common method 329 330 331 33 Headquarter creating default traﬃc rules for Kerio VPN 332 333 35 Headquarter DNS forwarder conﬁguration Kerio VPN 335 38 Headquarters VPN server conﬁguration 336 39 Headquarter deﬁnition of VPN tunnel for the London ﬁlial 337 338 339 43 Headquarter ﬁnal traﬃc rules Conﬁguration of the London ﬁlial 340 46 The London ﬁlial oﬃce default traﬃc rules for Kerio VPN 341 48 The London ﬁlial oﬃce DNS forwarding settings 342 343 344 345 346 54 The London ﬁlial oﬃce ﬁnal traﬃc rules Conﬁguration of the Paris ﬁlial 347 348 57 The Paris ﬁlial oﬃce DNS forwarder conﬁguration 349 59 The Paris ﬁlial oﬃce VPN server conﬁguration 350 351 352 353 64 The Paris ﬁlial oﬃce ﬁnal traﬃc rules 354 SSL-VPN conﬁguration Kerio Clientless SSL-VPN22.1 Conﬁguration of WinRoute’s SSL-VPN 355 356 Allowing access from the InternetKerio Clientless SSL-VPN Https//server Usage of the SSL-VPN interfaceUsage of the SSL-VPN interface Https//server12345 358 Sidneywashington@usoffice.company.comHandling ﬁles and folders Bookmarks \\server\folder\subfolderAntivirus control 359 360 TroubleshootingDetection of incorrect conﬁguration of the default gateway 23.2 Conﬁguration Backup and Transfer Cache.CFS SslcertLicense Dnscache.cfg 363 Handling conﬁguration ﬁles Conﬁguration backup recoveryStar List name=Interfaces 365 Automatic user authentication using NtlmGeneral conditions WinRoute Conﬁguration 366 Web browsers Automatic user authentication using NtlmNtlm authentication process Microsoft Internet Explorer 368 Firefox/Netscape/Mozilla/SeaMonkeyFirefox/Netscape/Mozilla/SeaMonkey conﬁguration 369 Partial Retirement of Protocol InspectorPartial Retirement of Protocol Inspector 370 How to enable certain users to access the InternetUser accounts and groups in traﬃc rules Enabling automatic authentication 371 372 FTP on WinRoute’s proxy serverExample of a client conﬁguration web browser 373 Example of a client conﬁguration Total CommanderFTP on WinRoute’s proxy server 12 Setting proxy server for FTP in Total Commander 374 Network Conﬁguration Network Load BalancingBasic Information and System Requirements 375 Network Load Balancing 376 377 24.3 Conﬁguration of the servers in the clusterNLB conﬁguration for Server1 378 Server 1 cluster parameters NLB conﬁguration for Server2 379 Description Technical supportEssential Information 380 Informational File Error Log FilesTested in Beta version License type and license number Czech Republic ContactsUnited Kingdom Legal Presumption OpenSSL Used open-source librariesLibiconv 384 Zlib PrototypeCopyright 2005 Sam Stephenson 385 ActiveX Default gatewayGlossary of terms Cluster 387 FirewallGreylisting Kerberos Glossary of terms IP addressIPSec 388 Packet Network adapterP2P network Port Routing table Glossary of termsProxy server Script Spooﬁng 391 TCP/IP 392 Index 393 Index 394 Ntlm 395 VPN 396 133 397