Prerequisites

• To use Configuration Backup you must have the ETM Dashboard Organization, which is available as an à la carte item.
• To view the status of backups you need the Reports app.
• To access your backups your appliance must be connected to your ETM Dashboard Organization account. To verify that NG Firewall is connected to ETM Dashboard, refer to the Support screen.
• To backup to Google Drive, a Google account must be authenticated using Directory Connector.

Installing the Configuration Backup App

Configuring a Secondary Backup using Google Drive

Viewing Backup Activity

To view backup activities such as the most recent backup or potential failures, click Reports in the top menu or click one of the predefined reports in the Status screen.

Restoring a Backup Using ETM Dashboard

Restoring a Backup in Google Drive

Related Topics

Restore

Settings

This section discusses the different settings and configuration options available for Threat Prevention.

Status

The Status screen shows the running state of Threat Prevention and relevant metrics, such as the number of blocked sessions and high-risk threats.

Threats

You can review the threshold for IP Addresses and URL Threats in the Threats tab. The recommended and default Reputation Threshold is "High Risk." "High Risk" is the only setting that should be deployed without reviewing and understanding the implications on network traffic. 'Suspicious" will block significantly more network traffic than "High Risk" will block.

Pass Sites

The Pass Sites tab allows you to specify IP Addresses or URLs to exclude from Threat Prevention lookups to ensure they are permitted by this app.

Rules

The Rules tab allows you to specify rules for blocking, Passing, or Flagging traffic that crosses the NG Firewall.

The Rules describe how rules work and how they are configured. Threat Prevention uses rules to determine to block/pass the specific session and if the session is flagged. Flagging a session marks it in the logs for review in the event logs or reports, but has no direct effect on the network traffic.

Rule Actions

• Pass: Allows the traffic that matches the rule to flow.
• Block: Blocks the traffic that matches the rule.

Additionally, a session can be flagged. If the flag is checked, the event is flagged for easier viewing in the event log. The flag is always enabled if the action is blocked.

Threat Lookup

Threat Lookup enables you to get threat information from an IP address or URL. This is useful for validating afterward or confirming the reputation and other details of the IP address or URL in advance. Enter an IP Address or URL in the input field and click Search to get information.

Threat Results

Advanced

Settings

This section discusses the different settings and configuration options for virus scanners.

Status

This displays the current status and some statistics.

Scan Options

Pass Sites

This section allows you to specify sites that are not scanned. The list uses the Glob Matcher syntax.

Advanced

Advanced settings can tune specific behavior of virus blockers.

The first option is to turn certain scanners on/off. When a virus blocker scans a file, it is scanned by multiple engines, a local antivirus engine, and the cloud ScoutIQ™ engine.

Using all available engines is recommended.

File Extensions

MIME Types

Similar to file extensions, this lists the MIME types to be scanned, regardless of extension. The same logic and warnings apply here as well.

About Application Control

How It Works

Application Control feeds each chunk of data to a classification engine as it passes through the application. The classification engine continues to analyze the traffic flow and keeps properties of the session, such as the Application property. Each time the classification of the Application property is updated, the Applications settings are checked to see if that application is allowed. The data is blocked If the application is configured to be blocked in the settings. If not, the process continues until the session reaches a fully classified state, where the classification engine believes no more session classification is possible. At this point, the Rules are evaluated, and the session is ultimately blocked or passed based on the rules you've configured.

Settings

This section describes the different settings and configuration options available for Application Control.

Status

The Status tab displays a summary of traffic and configuration information. The Traffic Statistics section displays the total number of sessions that have been scanned and the number of those that were allowed, flagged, or blocked. The Application Statistics section shows you the total number of applications that can be detected by the application, along with the number of those protocols that will be flagged and/or blocked. Rules Statistics allows you to quickly see how many custom rules you have configured and how many of those rules are active.

Applications

Rules

If the traffic you need to manage can't be handled via the Applications tab, you can create custom rules to analyze and control traffic based on more complex patterns and conditions. For each session, the rules are only evaluated once after the classification engine has completed an analysis of the traffic. The rules are then evaluated in order until the first match is found; at this point, the configured action will be performed. If there are no matches, the session will be tagged as allowed, the traffic will flow unimpeded, and no further analysis of that traffic will occur.

If an application is blocked or tarpitted in the Applications tab, it will be blocked immediately when identified before the engine has completed the analysis. In this case, the rules will have NO EFFECT because the sessions are blocked before the rules are evaluated.

Application Control Rules are a very powerful feature for controlling application usage. However, understanding how and when the rules are evaluated is essential for their use.

Anatomy of a Rule

Application Detail

The Detail field will contain different types of [#Is there a list of session properties? | information] depending on the protocols detected during session classification. The Detail field will be empty for matcher conditions other than those listed below.

• Allow: Allow the traffic.
• Block: When this option is selected, traffic in both directions will be silently dropped, but the session will remain active.

About SSL Inspector

SSL Certificates

SSL Certificates serve two primary purposes. They allow traffic between the client and server to be encrypted, and they allow the client to validate the server's authenticity. There are two main ways the client checks the authenticity of the server certificate. The first is validating the server certificate to ensure it has been issued or signed by a known and trusted third-party certificate authority. Once that trust has been established, the client checks the server name portion of the target URL to ensure it matches the server name registered in the certificate presented by the server. If either of these checks fails, the client will typically display a warning, indicating that the connection's security may be compromised.

When the NG Firewall server is initially installed, a default Certificate Authority is automatically created and used to sign the man-in-the-middle certificates created by the SSL Inspector. To view or make changes to the internal Certificate Authority, check out the Certificates tab of the Config/Administration page.

Config > Administration > Certificates

Client Configuration

For the client authenticity checks to be successful, the client must be configured to trust the root certificate used by the NG Firewall server to sign the man-in-the-middle certificates described above. To configure clients, you must first use the Download Root Certificate button located on the Configuration tab of the SSL Inspector Settings page to download the root certificate. You must then install this certificate to correct the client's location.

Another way to download the root certificate is to access a special URL using the IP address of the NG Firewall server:

http://yourserver/cert

Simply replace 0.0.0.0 with the IP address of your NG Firewall server. This method is especially useful when using mobile devices. For example, accessing this URL on an iPad or iPhone will download and display the certificate and provide an option to install and trust the certificate directly on the device.

Below are basic instructions for installing the root certificate on some common client platforms. If yours needs to be listed, or you need any help, consult the reference material for the target platform for further information.

Internet Explorer or Google Chrome on Microsoft Windows

Firefox on Microsoft Windows

Opera on Microsoft Windows

Group Policy Distribution

Suppose you have a fully deployed and implemented Active Directory infrastructure. In that case, you can leverage the Group Policy model to distribute the NG Firewall root certificate to your client computers. This is outside our expertise, so we can only help or assist. Still, we have compiled links to some TechNet articles with instructions for several common versions of Windows Server.

Windows Server 2003

Windows Server 2008

Windows Server 2012

Settings

This section describes the different settings and configuration options available for SSL Inspector.

Status

This displays the current status and some statistics.

Configuration

Execute the following configurations:

Download Root Certificate

As described above, client computers and devices on your network need to be configured to trust the root certificate of the NG Firewall server. Clicking this button will allow you to download the root certificate. Once downloaded, you need to install it in the Trusted Authorities certificate store on your client computers and devices. Note that this is the same root certificate that can be downloaded from the Config > Administration > Certificates page. The download link is included on the SSL Inspector Configuration page for convenience.

Alternatively, you can download the certificate from a client system by navigating to http://yourserver/cert.

Enable SMTPS Traffic Processing

This option is enabled by default and allows the SSL Inspector to work cooperatively with the other applications that act on SMTP mail traffic. When enabled, port 25 mail sessions that use STARTTLS will be decrypted inbound, allowing the clear traffic to pass through all other applications, and re-encrypted again before passing outbound.

Enable HTTPS Traffic Processing

This option is enabled by default and allows the SSL Inspector to work cooperatively with the other applications that act on HTTP web traffic. When enabled, port 443 web sessions that use SSL/TLS will be decrypted inbound, allowing the clear traffic to pass through all other applications and then re-encrypted again before passing outbound.

Block Invalid HTTPS Traffic

When processing a new HTTPS session, the inspector first analyzes the initial client computer request to see if it contains a valid SSL negotiation message. If not, the session will be ignored by default, and the traffic will flow directly between the client and server without inspection. By enabling this checkbox, you can change the default behavior and effectively block any port 443 traffic that does not contain a valid HTTPS signature.

Client/Server Connection Protocols

Trust All Server Certificates

Normally, when establishing an SSL connection with an external web server, the inspector will authenticate the server certificate against a standard list of trusted certificate authorities. If this trust cannot be established, the inspector will end the session. By enabling this checkbox, you can force the inspector to blindly trust all external server certificates.

Note that we DO NOT recommend running with this option enabled, as it exposes all HTTPS traffic to significant security risks.

The standard list of trusted certificates used by NG Firewall is generated from the standard ca-certificates package. It includes, among others, certificate authorities used by Mozilla's browsers. Please note that Edge Threat Management staff can neither confirm nor deny whether the certificate authorities whose certificates are included in this list have in any way been audited for trustworthiness or RFC 3647 compliance. The local system administrator is fully responsible for assessing them.

Upload Trusted Certificate

The inspector emulates a web browser when it makes outbound connections to external web servers. Just like a web browser, it must verify the authenticity of the server certificate before it will trust the connection and allow traffic to flow freely. As mentioned above, the inspector uses a standard list of known certificate authorities to validate server certificates. However, it's also possible you have servers in your network that use certificates that can't be authenticated this way. Perhaps you have your certificate authority or use self-signed certificates. Whatever the reason, you can use this section of the configuration page to upload additional certificates you want the inspector to trust.

Rules

The Rules tab allows you to specify explicit rules to Inspect or Ignore HTTPS traffic that crosses the NG Firewall. By default, many common HTTPS sites (Google, YouTube, Yahoo, and so on) are inspected, but not all HTTPS. This provides a safe default which provides HTTPS inspection on those sites without interfering with other HTTPS communications. It can easily be configured to inspect all HTTPS by enabling the "Inspect All Traffic" rule.

The Rules describe how rules work and how they are configured. SSL Inspector uses rules to determine if it should inspect or ignore traffic for the specific session.

In addition to all the common rule types, three are unique to the SSL Inspector, and these can be very useful for ignoring traffic that you don't want to inspect, or that isn't compatible with the SSL Inspector.

HTTPS: SNI Hostname

Most web browsers and many client applications include the destination hostname in the initial packet of an HTTPS session. The mechanism is called the Server Name Indication or the SNI extension to the TLS protocol. The main purpose is to allow a single web server to host multiple secure web sites. By analyzing the SNI hostname in the client request, the server can decide which SSL certificate to use to encrypt the session. This extension is necessary because the encryption must be established long before the server ever sees the HTTP request, and by then, it would be too late to use a different certificate.

Creating ignore rules based on the SNI hostname is an effective way to have the SSL Inspector ignore incompatible traffic. A prime example is the default rule for Microsoft Update. The Microsoft Update client checks the server certificate to ensure it was signed by a specific authority. Since it doesn't trust the Root Authority the SSL Inspector uses to generate certificates on the fly, Microsoft Update will fail with an error. The default rule allows this traffic to be detected and ignored, allowing Microsoft Update to work properly.

HTTPS: Certificate Subject and HTTPS: Certificate Issuer

These two rule conditions are useful when dealing with client applications that don't use SNI and aren't compatible with SSL Inspector. An excellent example is the Dropbox client utility, for which there is also a default rule. Like Microsoft Update, the Dropbox client will reject SSL certificates it doesn't explicitly trust.

Using either of these rule conditions, you can match traffic on any portion of the Subject or Issuer Distinguished Name (DN) included in the server certificate. In both cases, the information in the match string includes the standard information fields commonly stored within the SSL certificates, such as CN (common name), C (country), ST (state), L (locality), O (organization), and OU (organizational unit). Each of these is appended to the match string and separated by commas. Not all fields are required in all certificates, and some certificates may have others not listed. The order they occur in the match string is also not guaranteed.

CN=*.dropbox.com, O="Dropbox, Inc.", L=San Francisco, ST=California, C=US

CN=Thawte SSL CA, O="Thawte, Inc.", C=US

About Web Filter

Traffic Flow

When scanning traffic, Web Filter evaluates the pass lists, block lists, categories, and rules at two distinct points of the HTTP transaction. The first evaluation happens after the client receives the request and before it is forwarded to the server. The second is after the response is received from the server and before it is passed back to the client. This allows a high degree of filtering and control over both requested resources and Content returned in response.

HTTP Request

HTTP Response

Settings

This section discusses the different settings and configuration options available for Web Filter.

Status

This displays the current status and some statistics.

Categories

Categories enable you to customize which categories of sites will be blocked or flagged. Blocked categories will display a block page to the user; flagged categories will allow the user to access the site but will be silently flagged as a violation for event logs and Reports. These block/flag actions operate similarly for all Web Filter options.

Search Terms

Search Terms filtering enables you to flag or block specific search terms your users perform on popular search sites, including Google, Bing, Ask, Yahoo, and YouTube. For example, if someone searches Google and includes the word "suicide" or searches for "twerking" videos on YouTube, you can have these activities flagged or blocked.

Under Search Filter, you can add terms you want to be blocked or flagged. Search Filter terms use the Glob Matcher syntax.

Site Lookup

Site Lookup allows you to find a URL's categorization. Clicking it brings up a dialog. In Site URL, specify the URL to find and click Search to find the URL's categorization.

If you feel the current categorization is incorrect, check Suggest a different category, select a new category from the list, and click Suggest to submit the category change for consideration.

Block Sites

Under Block Sites, you can add individual domain names you want to be blocked or flagged - enter the domain name (e.g., youtube.com) and specify your chosen action. This list uses URL Matcher syntax.

Pass Sites

Pass Sites is used to pass Content that would have otherwise been blocked. This can be useful for "unblocking" sites you don't want to be blocked according to block settings. Any domains you add to the Passed Sites list will be allowed, even if blocked by category or by individual URL - add the Domain and save. Unchecking the pass option will allow the site to be blocked as if the entry was not present. This list uses URL Matcher syntax.

Pass Clients

If you add an IP address to this list, Web Filter will not block any traffic from that IP regardless of the blocked categories or sites. Just add the IP and save. Unchecking the pass option will have the block/pass lists affect the user as if they were not entered into the Passed Client IPs list. This list uses IP Matcher syntax.

Consider using pass lists if you have a few users who must bypass Web Filter controls completely. If you have users needing different Web Filter settings, you should set up a separate policy using Policy Manager. When using this feature, please remember that DHCP IPs can change, so you'll probably want to set up a Static IP or a Static DHCP Lease for the machine in question.

Rules

The Rules tab allows you to specify rules to Block or Flag traffic that passes through Web Filter.

The Rules describe how rules work and how they are configured. Web Filter uses rules to determine whether to block or flag a specific session. Flagging a session marks it in the logs for review in the event logs or reports but has no direct effect on the network traffic.

Rule Types

In previous versions of Web Filter, there were dedicated lists for blocking certain file extensions or MIME types. This capability is still available when using more flexible filter rules. To block specific file extensions, you can create a rule with the condition HTTP: Response File Extension that has a comma-separated list of the extensions to block in the Value field. You would create a rule for blocking MIME types with the condition HTTP: Content Type with a comma-separated list of the content types to block in the Value field.

Below are tables listing the default file extensions and MIME types available in previous versions. Note that these lists are not exhaustive but are included here to simplify the creation of such rules by copying and pasting the values in the tables.