Hillstone Networks, Inc. StoneOS Cookbook. Version 5.5R1 V4.0

Transcription

1 Hillstne Netwrks, Inc. StneOS Ckbk Versin 5.5R1 V4.0

2 Cpyright 2015 Hillstne Netwrks, Inc.. All rights reserved. Infrmatin in this dcument is subject t change withut ntice. The sftware described in this dcument is furnished under a license agreement r nndisclsure agreement. The sftware may be used r cpied nly in accrdance with the terms f thse agreements. N part f this publicatin may be reprduced, stred in a retrieval system, r transmitted in any frm r any means electrnic r mechanical, including phtcpying and recrding fr any purpse ther than the purchaser's persnal use withut the written permissin f Hillstne Netwrks, Inc.. Hillstne Netwrks, Inc. Cntact Infrmatin: US Headquarters: Hillstne Netwrks 292 Gibraltar Drive, Suite 105 Sunnyvale, CA Phne: Abut this Guide: This guide gives yu cnfiguratin instructins f Hillstne Netwrks, Inc.StneOS user scenaris. Fr mre infrmatin, refer t the dcumentatin site: T prvide feedback n the dcumentatin, please write t us at: hs-dc@hillstnenet.cm Hillstne Netwrks, Inc. TWNO: TW-CBK-UNI-5.5R1-EN-V /9/14 Release Date: 2015/9/14

3 Cntents Cntents 1 Overview 1 Hw t Use Ckbk 2 Getting Started 3 Upgrading Firmware t Higher Versin 4 Using Security Plicy t Allw Access t Anther Zne 7 Allwing Private Netwrk t Access Internet Using SNAT 11 Allwing Internet t Visit a Private Server Using DNAT 14 Deplying Tap Mde t Mnitr Netwrk Traffic 17 Authenticatin 24 Allwing Internet Access via User Authenticatin 25 VPN 29 Cnnectin between Tw Private Netwrks Using IPSec VPN 30 Allwing Remte Users t Access a Private Netwrk Using SSL VPN 37 Using an ios/andrid Device t Remtely Access Intranet Services 41 Allwing Remte Users t Access a Private Netwrk Using L2TP ver IPSec VPN 47 Cnnectin between Tw Private Netwrks Using GRE ver IPSec VPN 59 High Availability 68 Ensuring Uninterrupted Cnnectin Using HA 69 Quality f Service (QS) 74 QS Cntrl 75 Threat Preventin 80 Prtecting Internal Servers t Defend Attack via Abnrmal Behavir Detectin 81 Finding Malware Attacks via Advanced Threat Detectin 86 Frensic Analysis 90 Internet Behavir Cntrl 95 Decrypt HTTPS Traffic and Identify the Encrypted Applicatin 96 1

4 StneOS Ckbk Overview StneOS Ckbk prvides cnfiguratin examples fr yu t user Hillstne netwrk security prducts. This bks cvers basic gettingstarted cases, firewall functins, and advanced user scenaris. All cnfiguratin uses graphic user interface (GUI), r als knwn as web user interface (WebUI), nt cmmand line interface. Each recipe cnsists f tw parts: scenari settings and cnfiguratin steps. Tplgy and screensht are used t assist yu in understanding the key infrmatin f the case. StneOS Ckbk is very helpful in understanding peratinal lgic, and imprving efficiency. StneOS Ckbk rganizes its recipes int the fllwing chapters: "Getting Started" n Page 3 - Basic netwrk cnnecting features. "Authenticatin" n Page 24- User authenticatin. "VPN" n Page 29- IPSec VPN and SSL VPN. "Quality f Service (QS)" n Page 74 - Bandwidth cntrl. "High Availability" n Page 68 - High availability. "Threat Preventin" n Page 80 - Threat preventin. "Internet Behavir Cntrl" n Page 95- Internet behavir cntrl. This bk is updated n requirement, nt peridically. The current versin yu are using is based n StneOS 5.5R1. Overview 1

5 StneOS Ckbk Hw t Use Ckbk Befre yu read the bk, there are a few tips yu need t knw. Target audience Ckbk is written with new users in mind. Hwever, if yu use this bk, yu still are required t knw hw t use WebUI, cnnect cables and lg in the system. Such infrmatin can be fund in Getting Started Guide. StneOS Versins This ckbk yu are reading nw is based n StneOS 5.5 With system updates, the user interface is subject t change, and WebUI layut may vary depending n hardware platfrms. This ckbk may nt cmply with every detail n WebUI, please check yur web pages fr difference when yu use this bk. Reading Sequence When yu pen the bk, it is better t read it in the sequence belw: 1. G t "Cntents" n Page 1, and lcate the feature yu need; 2. Jump t that feature, read the scenari descriptin and tplgy; 3. G thrugh step key pints (marked as "Step1", "Step2") t understand cnfiguratin lgic; 4. Read the left text and right screen shts t get the details. 5. Cnfigure yur device accrdingly, but substitute with yur wn IP address r names. Text vs. Screenshts The step details are explained by cmbing descriptin text and screenshts. The text n the left gives cnfiguratin details, highlights and ntes; the sceensht n the right is the exact screen capture f this step. Getting Started and Other Chapters In this ckbk, the chapter "Getting Started" is the prerequisite fr ther chapters. Other chapters deem that the prtected netwrk has already finished its basic netwrking settings mentined in the Getting Started chapter. In ther chapters, steps like NAT, default rutes and DNS are nt included. S, when yu reference t user scenaris in chapters ther than Getting Started, yu shuld ensure that yur prtected netwrk has already been basically established. Interface, Name, Tplgy This bk explains functin cnfiguratin by writing scenaris (als called "cases" r "recipes"). Interface addresses, bject names, and tplgies are the real labratry settings. When yu cnfigure yur wn netwrk, substitute the names and addresses with yur real names and addresses. Clicking OK r Apply Generally, when yu finish filling r editing an ptin, yu must click OK, Apply, r Cnfirm buttn t make the setting take effect. This kind f peratin is universal. This bk will nt write specifically abut this peratin therwise else is needed. Hw t Use Ckbk 2

6 StneOS Ckbk Getting Started Recipes in Getting Started chapter intrduce basic netwrking cnfiguratins. This chapter includes the fllwing recipes: "Upgrading Firmware t Higher Versin" n Page 4 " Using Security Plicy t Allw Access t Anther Zne" n Page 7 "Allwing Private Netwrk t Access Internet Using SNAT" n Page 11 "Allwing Internet t Visit a Private Server Using DNAT" n Page 14 "Deplying Tap Mde t Mnitr Netwrk Traffic " n Page 17 Getting Started 3

7 StneOS Ckbk Upgrading Firmware t Higher Versin This example intrduces hw t use WebUI and CLI t upgrade firmware t a higher versin. As an exit f the cmpany's netwrk, security device prvides prtectins and services. Nw, admin need upgrade firmware t ptimize system's perfrmance and get new functins. Preparatin Befre upgrading, we recmmend yu: See the system sftware versin by using WebUI r CLI(shw versin) t get a suitable upgrading instructins. See the release ntes f the target versin t get a platfrm upgrading instructins. Get upgrade file f yur target versin frm Hillstne. D nt upgrade at peak times, because yu need t rebt device t make new versin effective. D nt dwngrade, because system cnfiguratin may be lst. Upgrade frm CLI if yur device's strage is lw, and remember t remve the frmer firmware versin befre yu upgrade. Make sure yu have backed up the cnfiguratin file befre upgrading. Cntact us (Service Line: ) first when yu are in the fllwing situatins: Make sure whether license is ut f date. If it expires, yu nly can upgrade system t the versin whse release date is befre the license expired date. If it desn't expire, upgrading can be cntinued. Cntact us fr the release date. D nt crss upgrade.fr example, t upgrade the versins 4.0 t 5.0, Hillstne recmmends yu t first upgrade t versin 4.5, and then upgrade t 5.0. Cntact us fr crss versin upgrade. Cntact us fr upgrading infrmatin if yu are in HA envirnment. Methd 1: Upgrading frm WebUI Step 1: Lgging in via WebUI with admin accut and viewing current system infrmatin. Select System > System Infrmatin t view the current versin is 5.5R1P1. Step 2: Exprting cnfiguratin file as a backup. Select System > Cnfiguratin File Management. In the Cnfiguratin File List tab, select Startup check bx and click Exprt. The cnfiguratin file will be exprted t yur lcal PC. Step 3: Uplading upgrade file and rebting system. Befre uplading, make sure yur upgrade file is suitable fr yur platfrm. Select System > Upgrade Management. Upgrading Firmware t Higher Versin 4

8 StneOS Ckbk Step 3: Uplading upgrade file and rebting system. Befre uplading, make sure yur upgrade file is suitable fr yur platfrm. 1. In the Upgrade Firmware tab, click Brwse buttn and chse the upgrade file SG6000-M-3-5.5R1P3.bin in yur lcal PC. 2. Select Rebt t make the new firmware take effect check bx and click Apply. D nt select Rebt t make the new firmware take effect check bx at traffic-peak time. Hillstne suggests yu t manually rebt when yu need. Step 4: Verifying the upgrade results. Lg in via WebUI again when system finished rebting. 1. Select System > System Infrmatin. 2. In the firmware part, yu can see the current versin is 5.5R1P3. Upgrade succeeded. Methd 2: Upgrading frm CLI Step 1: Lgging in system via Telnet, and viewing the current versin. Take an example f using PuTTY. 1. Open PuTTY, and enter the fllwings: Hst Name: (manage IP f yur device) Cnnetin Type:Telnet 2. Click Open. Type the username and passwrd f admin. Lg in successfully. Type shw versin and knck the Enter key. It will shw yu the current system versin is 5.5R1P1. 5 Upgrading Firmware t Higher Versin

9 StneOS Ckbk Step 2: Upgrading yur device. We upgrade with USB prt in this example. Please put yur upgrade file in yur U- Disk, and then put it int the USB prt f security device. Type imprt image frm usb0 SG6000-M-3-5.5R1P3.bin and knck the Enter key. 1. Type rebt and knck the Enter key. 2. System prmpts that "System rebt,are yu sure?". Type y t rebt. 3. Chse a cnfiguratin file. Type a after "Please chse ne". Step 3: Verifying the upgrade results. Lg in via Telnet again when system finished rebting. Type shw versin and knck the Enter key. It will shw yu the current system versin is 5.5R1P3. Upgrading Firmware t Higher Versin 6

10 StneOS Ckbk Using Security Plicy t Allw Access t Anther Zne This example intrduces hw t use security plicies t cntrl cmmunicatin between tw znes. The scenari sets up a requirement that the private netwrk users are nt allwed t access Internet during wrk time. As the tplgy described, plices and schedules wrk tgether t allw internal users t access t server in anther zne during wrk hur (9 a.m. t 17 p.m.). When it's nt wrking time, the server cannt be accessed. Step 1: Cnfiguring Interface 1. Cnfiguring the interface cnnected t private netwrk Select Netwrk > Interface, duble click ethernet0/1. Binding Zne: Layer 3 Zne Zne: trust Type: Static IP IP Address: Netmask: Cnfiguring the interface cnnected t Server Select Netwrk > Interface, duble click ethernet0/2. Binding Zne: Layer 3 Zne Zne: dmz Type: Static IP IP Address: Netmask: Using Security Plicy t Allw Access t Anther Zne 7

11 StneOS Ckbk Step 2: Cnfiguring Schedule Select Object > Schedule, and click New. In the prmpt, click Add. Name: wrk hur Type: Daily Start Time: 09:00 End Time: 17:00 Click OK t add it. Step 3: Cnfiguring Plicies 1. Cnfiguring a plicy t allw internal users access t server during wrk hur Select Plicy > Security Plicy, and click Add. Name: wrk Surce Zne: trust Address: Any Destinatin Zne: dmz Address: Any Other Infrmatin Schedule: wrk hur Actin: Permit 8 Using Security Plicy t Allw Access t Anther Zne

12 StneOS Ckbk Step 3: Cnfiguring Plicies 2. Cnfiguring a plicy that internal users cannt visit server Select Plicy > Security Plicy, and click Add. Name: rest Surce Zne: trust Address: Any Destinatin Zne: dmz Address: Any Other Infrmatin Schedule: wrk hur Actin: Deny 3. Adjusting pririty f plicies Select Plicy > Security Plicy, and select the "wrk" plicy. Select "wrk" plicy, and click Mve, and enter "rest" plicy's ID, then click Befre ID. Nte: The pririty f a plicy is nly determined by its psitin in the list. Step 4: Cnfiguring a default rute Select Netwrk > Ruting >Destinatin Rute, and select New. Destinatin: Subnet Mask: 0 Next Hp: Gateway Gateway: Step 5: Results After cnfiguratin, the internal PC can ping the server address successfully during 9:00 t 17:00. Using Security Plicy t Allw Access t Anther Zne 9

13 StneOS Ckbk Step 5: Results When internal PC pings the server during ffwrk time, it fails. 10 Using Security Plicy t Allw Access t Anther Zne

14 StneOS Ckbk Allwing Private Netwrk t Access Internet Using SNAT SNAT rule is used t allw users in private netwrk t access Internet. An SNAT rule will translate the internal IP addresses t a public IP address, s that internal users can have access t public netwrk via the public interface. As shwn in the tplgy, via SNAT, internal PCs use the eth0/3 ( /20) t visit Internet. Step 1: Cnfiguring Interface 1. Cnfiguring the interface cnnected t private netwrk Select Netwrk > Interface, and duble click ethernet0/1. Binding Zne: Layer 3 Zne Zne: trust Type: Static IP IP Address: Netmask: Cnfiguring the interface cnnected t Internet Select Netwrk > Interface, and duble click ethernet0/3. Binding Zne: Layer 3 Zne Zne: untrust Type: Static IP IP Address: Netmask: 20 Allwing Private Netwrk t Access Internet Using SNAT 11

15 StneOS Ckbk Step 2: Cnfiguring security plicy Cnfiguring a security plicy t allw private netwrk t Internet Select Plicy > Security Plicy, and click Add. Name: trust_untrust Surce Infrmatin Zne: trust Address: Any Destinatin Zne: untrust Address: Any Other Infrmatin Actin: Permit Step 3: Cnfiguring Address bk Cnfiguring an address range fr private netwrk users Select Object > Address Entry, and click New. Name: snat_ip Member: add " /24" Step 4: Cnfiguring SNAT rule Select Plicy > NAT > SNAT, and click New. Requirement: Surce Address: Address Entry, snat_ip (Nte: enter the server's internal IP address.) Translated t: Specified IP: "IP Address", " " (Nte: enter public IP address here) Mde: Dynamic Prt (multi-prt t ne) (Optinal) Under Advanced tab, select NAT lg check bx t enable NAT lggling (fr checking results). 12 Allwing Private Netwrk t Access Internet Using SNAT

16 StneOS Ckbk Step 5: Cnfiguring default rute Select Netwrk > Ruting > Destinatin Rute, and click New. Destinatin: Subnet Mask: 0 Next Hp: Gateway Gateway: Step 6: Results After cnfiguratin, PCs in private netwrk can ping successfully. Step 6: Check if DNAT rule wrks Make sure NAT lgging is enabled in mnitr mdule (Select Mnitr > Lg > Lg Mnitr, under NAT tab, select Enable.) G t Mnitr > Lg > NAT, yu will be able t see the destinatin IP has been translated t internal IP Allwing Private Netwrk t Access Internet Using SNAT 13

17 StneOS Ckbk Allwing Internet t Visit a Private Server Using DNAT Destinatin netwrk address translatin (DNAT) is nrmally used t allw Internet users visit an internal server by prviding Internet IP address fr internal server. As shwn in the tplgy, the FTP server hides its internal IP address using DNAT rule. DNAT rule will give the server an Internet IP address fr FTP users t access. In this way, the server can be accessed frm Internet. Step 1: Cnfiguring interfaces 1. Cnfiguring the interface cnnected t the server Select Netwrk > Interface, and duble click ethernet0/2. Binding Zne: Layer 3 Zne Zne: dmz Type: Static IP IP Address: Netmask: Cnfiguring the interface cnnected t Internet Select Netwrk > Interface, and click ethernet0/3. Binding Zne: Layer 3 Zne Zne: untrust Type: Static IP IP Address: Netmask: 20 Allwing Internet t Visit a Private Server Using DNAT 14

18 StneOS Ckbk Step 2: Cnfiguring security plicies Cnfiguring a plicy allwing Internet t visit internal netwrk Select Plicy > Security Plicy, and click Add. Name: untrust_dmz Surce Infrmatin Zne: untrust Address: Any Destinatin Zne: dmz Address: Any Other Infrmatin Actin: Permit Step 3: Cnfiguring DNAT rule Select Plicy > NAT > DNAT, and click New > Advanced Cnfiguratin. Requirement: Destinatin Address: IP Address, (Nte: enter public IP address here.) Translated t: Translated t: "IP Address", " " (Nte: enter the server's internal IP address) (Optinal) Under Advanced tab, select NAT lg check bx t enable NAT lgging (fr checking results.) Step 4: Cnfiguring default rute Select Netwrk > Ruting > Destinatin Rute, and click New. Destinatin: Subnet Mask: 0 Next Hp: Gateway Gateway: Allwing Internet t Visit a Private Server Using DNAT

19 StneOS Ckbk Step 5: Results After cnfiguratin, use a PC in Internet t ping the server's public address Step 6: Check if DNAT rule wrks Make sure NAT lgging is enabled in mnitr mdule (Select Mnitr > Lg > Lg Mnitr, under NAT tab, select Enable.) G t Mnitr > Lg > NAT, yu will be able t see the destinatin IP has been translated t internal IP Allwing Internet t Visit a Private Server Using DNAT 16

20 StneOS Ckbk Deplying Tap Mde t Mnitr Netwrk Traffic Inline mde places a device directly in the netwrk path, while in tap mde, the device nly cnnects t a mirrred interface f cre netwrk. Tap device mnitrs r sniffs the packet infrmatin mirrred frm cre netwrk gateway. Tap prducts tend t be resilient and transparent s as t minimize r eliminate the effect they can have n prductin traffic. If yu just want a sensr t mnitr, analyze and lg netwrk traffic, nt data frwarding, it is best t chse tap mde. In this example, a Hillstne device (T-Series Intelligent Next Generatin Firewall recmmended) is a netwrk tap. Its tap interface eth0/1 directly cnnects t mirrr interface f inline netwrk gateway. Hillstne T-Series threat detectin features t analyze mirrred data packets in search fr netwrk threats. We present 4 threat detecting functins in this example. All the functins require respective licenses installed befre they take effect. Intrusin Preventin System (IPS): Requires Threat Preventin (TP) r IPS license installed. Applicatin Identificatin: Requires APP DB license installed. This license is issued with platfrm license fr free. N need t purchase APP DB license individually. Advanced Threat Detectin (ATD): Requires StneShield license installed. Abnrmal Behavir Detectin (ABD): Requires StneShield license installed. Preparatin As shwn in the tplgy abve, yu need use a RJ-45 cable t cnnect the mirrr prt eth0/4 and the tap interface eth0/1. Cnfigure prt mirrring n gateway f cre netwrk. We take Hillstne gateway as example. Cnfiguring prt mirrring 1. Select Netwrk > Interface, and duble-click ethernet0/3. 2. In the pp-up, click the Prperties tab, under Mirrr part, select the checkbx t enable traffic mirrring. Deplying Tap Mde t Mnitr Netwrk Traffic 17

21 StneOS Ckbk Cnfiguring prt mirrring 3. Return t interface list, make sure that the mirrr prt ethernet0/4 is nt bund t any zne. 4. Select Netwrk > Prt Mirrring, select ethernet0/4 frm drp-dwn menu, and click OK. Cnfiguring Tap Mde and Threat Detectin Cnfigure all the fllwing settings n tap device. Step 1: Creating a tap mde 1. Select Netwrk > Zne, click New. 2. In the Zne Cnfiguratin dialg, cnfigure the fllwing: Zne: tap-eth1 Type: TAP Virtual Ruter: trust-vr Binding Interface: ethernet0/1 3. Return t Netwrk > Interface, in the interface list, check that eth0/1 is in the "tap-eth1" zne. Step 2: Creating a Plicy Creating a "permit" plicy n the tap device s that it can establish sessins within itself. 1. Select Plicy > Security Plicy, click New. 2. In the Plicy Cnfiguratin dialg, make a "permit" rule frm and t the same tap zne. 18 Deplying Tap Mde t Mnitr Netwrk Traffic

22 StneOS Ckbk Step 3: Enabling IPS and viewing IPS attacks Enabling IPS: 1. Select Netwrk > Zne, duble-click tap-eth1. 2. Under the Threat Preventin tab, select Enable check-bx n the right f Intrusin Preventin System. Prfile: predef_default Defense Directin: bidirectinal Checking detectin results: 1. Select icenter > Threat. 2. In the list,, items marked as "Intrusin Preventin System" under the Detected by clumn are IPS attacks detected by tap device. Viewing IPS lgs: 1. Select Mnitr > Lg > Threat, click Filter n the tp right crner. Detected by: Intrusin Preventin System 2. Click Query, and the page will shw IPS lgs. Deplying Tap Mde t Mnitr Netwrk Traffic 19

23 StneOS Ckbk Step 4: Enabling Applicatin Identificatin and viewing APP usage statistics Enabling APP Identificatin: 1. Select Netwrk > Zne, duble-click the tap-eth1 zne. 2. Under the Basic tab, select the Enable check-bx after Applicatin Identificatin. Viewing App mnitr results: Select Mnitr > Applicatin. Summary: Applicatin usage statistics by user, traffic, new sessin r cncurrent sessin. Applicatin Details: Details f every applicatin. Grup Details: Applicatin grup usage details. 20 Deplying Tap Mde t Mnitr Netwrk Traffic

24 StneOS Ckbk Step 5: Enabling Advanced Threat Detectin (ATD) and viewing ABD attacks Enabling ATD: 1. Select Netwrk > Zne, duble-click the tap-eth1 zne. 2. Under the Threat Preventin tab, select the Enable check-bx after Advance Threat Detectin. Viewing ATD mnitr result: 1. Select Mnitr > Threat > Summary, hver yur cursr ver Malware bar t shw a balln f malware attacks. 2. Click Details after Trjan in the balln, yu can see details f this attack. Viewing ATD lgs 1. Select Mnitr > Lg > Threat, and click Filter n the tp right crner. Detected by: Advanced Threat Detectin Deplying Tap Mde t Mnitr Netwrk Traffic 21

25 StneOS Ckbk Step 5: Enabling Advanced Threat Detectin (ATD) and viewing ABD attacks 2. Click Query, the page will shw ATD lgs. T knw mre abut ATD, yu may refer t anther case in this ckbk "Finding Malware Attacks via Advanced Threat Detectin" n Page 86. Step 6: Enabling Abnrmal Behavir Detectin and viewing abnrmal behavirs Enabling ABD: 1. Select Netwrk > Zne, duble-click the tap-eth1 zne. 2. Under the Threat Preventin tab, select the Enable check-bx after Abnrmal Behavir Detectin. Viewing mnitr results: 1. Select Mnitr > Threat > Summary. 2. Hver yu cursr ver Scan r DS bar, a balln will shw up t indicate number f Scan and DS attacks. 22 Deplying Tap Mde t Mnitr Netwrk Traffic

26 StneOS Ckbk Step 6: Enabling Abnrmal Behavir Detectin and viewing abnrmal behavirs Viewing ABD lgs 1. Select Mnitr > Lg > Threat, and click Filter n the tp right crner. Detected by: Abnrmal Behavir Detectin 2. Click Query, ABD lgs will shw. T knw mre abut ABD, yu may refer t anther case in ckbk "Prtecting Internal Servers t Defend Attack via Abnrmal Behavir Detectin" n Page 81. Deplying Tap Mde t Mnitr Netwrk Traffic 23

27 StneOS Ckbk Authenticatin Authenticatin is a methd f verifying visitr's identity. When a visitr is cnfirmed as a valid user, he is allwed t use a certain netwrk. The visitr can be a PC, a mbile phne r a tablet. This chapter cntains the fllwing recipe: "Allwing Internet Access via User Authenticatin" n Page 25 Authenticatin 24

28 StneOS Ckbk Allwing Internet Access via User Authenticatin This example shws hw t use Web authenticatin (WebAuth). An AAA server is required in this example t cnfirm the identity f a user. The tplgy describes the scenaris yu will see in this case. In this scenari, nly user 1 passes user authenticatin, thus he can use Internet services. Other users cannt pass authenticatin, they are nt allwed t access Internet. Step 1: Cnfiguring user and address entry Select Object > User. In the Lcal User tab, under Lcal Server, click New > User. Name: user1 Passwrd: Cnfirm Passwrd: Select Object > Address Entry > New. Name: addr Member: Select IP/Netmask, enter , 32, and click Add Allwing Internet Access via User Authenticatin 25

29 StneOS Ckbk Step 2: Cnfiguring interface and zne Select Netwrk > Interface, and duble click ethernet0/0. Binding Zne: Layer 3 Zne Zne: trust Type: Static IP IP Address: Netmask: 24 Select Netwrk > Interface, and duble click ethernet0/1. Binding Zne: Layer 3 Zne Zne: untrust Type: Static IP IP Address: Netmask: 20 Step 3: Using WebAuth wizard Select Netwrk > Authenticatin Management, and click WebAuth Wizard. Mde: HTTP HTTP Prt: 8181 Select Next, and then select Lcal. Select Next, and click OK. Results: 3 plicies will be created autmatically. 26 Allwing Internet Access via User Authenticatin

30 StneOS Ckbk Step 4: Mdifying plicy Select Plicy > Security Plicy, find the plicies created by Webauth wizard. In this example, ID 11, 10 and 9 plicies. Duble click the plicy labeled "A" (ID 10), and mdify the surce address. Surce Infrmatin Address: addr Duble click teh plicy belw "Auth" (ID 9), and specify the surce user t the ne wh is allwed t use Internet. Surce Infrmatin User/UserGrup: user1 Allwing Internet Access via User Authenticatin 27

31 StneOS Ckbk Step 5: Results Using the abve cnfiguratins, the system will webauth HTTP requests frm interface /32. A visitr has t enter username/passwrd (user- 1/123456) in the brwser page, if he wants t access t Internet. 28 Allwing Internet Access via User Authenticatin

32 StneOS Ckbk VPN This chapter intrduces virtual private netwrk deplyment. This chapter cntains the fllwing recipes: IPSec VPN "Cnnectin between Tw Private Netwrks Using IPSec VPN" n Page 30 SSL VPN "Allwing Remte Users t Access a Private Netwrk Using SSL VPN" n Page 37 "Using an ios/andrid Device t Remtely Access Intranet Services" n Page 41 L2TP ver IPSec VPN "Allwing Remte Users t Access a Private Netwrk Using L2TP ver IPSec VPN" n Page 47 GRE ver IPSec VPN "Cnnectin between Tw Private Netwrks Using GRE ver IPSec VPN" n Page 59 VPN 29

33 StneOS Ckbk Cnnectin between Tw Private Netwrks Using IPSec VPN This example tells hw t create IPSec VPN tunnels t encrypt and prtect the cmmunicatin between tw private netwrks. Usually, IPSec VPN tunnel is t cnnect the Device A in a branch ffice and the Device B in the headquarters. * Nte: This tplgy uses labratry envirnment. In this recipe, /24 represents public netwrk. Device A Step 1: Cnfiguring interface 1. Cnfiguring the interface cnnected t private netwrk Select Netwrk > Interface, and duble click ethernet0/1. Binding Zne: Layer 3 Zne Zne: trust Type: Static IP IP Address: Netmask: Cnfiguring the interface cnnected t Internet Select Netwrk > Interface, and duble click ethernet0/2. Binding Zne: Layer 3 Zne Zne: untrust Type: Static IP IP Address: Netmask: Cnnectin between Tw Private Netwrks Using IPSec VPN 30

34 StneOS Ckbk Step 2: Cnfiguring security plicies 1. Creating a plicy t allw private netwrk t visit Internet Select Plicy > Security Plicy, and click New. Name: trust_untrust Surce Infrmatin Zne: trust Address: Any Destinatin Zne: untrust Address: Any Other Infrmatin Actin: Permit 2. Creating a security plicy t allw Internet visit private netwrk Select Plicy > Security Plicy, and click New. Name: untrust_trust Surce Infrmatin Zne: untrust Address: Any Destinatin Zne: trust Address: Any Other Infrmatin Actin: Permit Step 3: Cnfiguring IPSec VPN 1. Cnfiguring P1 prpsal fr IKE SA Select Netwrk > VPN > IPSec VPN, under the P1 Prpsal tab, click New. Prpsal Name: Headquarter_t_Branch_P1 Authenticatin: Pre-share Hash: SHA Encryptin: 3DES 31 Cnnectin between Tw Private Netwrks Using IPSec VPN

35 StneOS Ckbk Step 3: Cnfiguring IPSec VPN 2. Cnfiguring P2 prpsal fr IPSec SA Select Netwrk > VPN > IPSec VPN, under the P2 Prpsal tab, click New. Prpsal Name: Headquarter_t_Branch_P2 Authenticatin: ESP Hash: SHA Encryptin: 3DES 3. Cnfiguring VPN peer Select Netwrk > VPN > IPSec VPN, under the VPN Peer List tab, click New. Name: Headquarter_t_Branch Interface: ethernet0/2 Mde: Main Type: Static IP Peer IP: Prpsal 1: Headquarter_t_Branch_P1 Pre-share Key: Cnfiguring IKE VPN Select Netwrk > VPN > IPSec VPN, under the IKE VPN List tab, click New. Peer Name: Headquarter_t_Branch Tunnel Name: Tunnel Mde: tunnel P2 Prpsal: Headquarter_t_Branch_P2 Cnnectin between Tw Private Netwrks Using IPSec VPN 32

36 StneOS Ckbk Step 4: Creating tunnel interface Select Netwrk > Interface, and click New > Tunnel Interface. Basic Name: 1 Zne: untrust Tunnel Binding Tunnel Type: IPSec VPN VPN Name: Tunnel Step 5: Cnfiguring rute Select Netwrk > Ruting > Destinatin Ruting, and click New. Destinatin: Subnet Mask: 24 Next Hp: Interface Interface: tunnel1 Device B Step 1: Cnfiguring interface 1. Cnfiguring the interface cnnected t private netwrk Select Netwrk > Interface, and duble click ethernet0/1. Binding Zne: Layer 3 Zne Zne: trust Type: Static IP IP Address: Netmask: Cnnectin between Tw Private Netwrks Using IPSec VPN

37 StneOS Ckbk Step 1: Cnfiguring interface 2. Cnfiguring the interface cnnected t Internet Select Netwrk > Interface, and duble click ethernet0/2. Binding Zne: Layer 3 Zne Zne: untrust Type: Static IP IP Address: Netmask: Step 2: Cnfiguring security plicies 1. Creating a plicy t allw private netwrk t visit Internet Select Plicy > Security Plicy, and click New. Name: trust_untrust Surce Infrmatin Zne: trust Address: Any Destinatin Zne: untrust Address: Any Other Infrmatin Actin: Permit 2. Creating a security plicy t allw Internet visit private netwrk Select Plicy > Security Plicy, and click New. Name: untrust_trust Surce Infrmatin Zne: untrust Address: Any Destinatin Zne: trust Address: Any Other Infrmatin Actin: Permit Cnnectin between Tw Private Netwrks Using IPSec VPN 34

38 StneOS Ckbk Step 3: Cnfiguring IPSec VPN 1. Cnfiguring P1 prpsal fr IKE SA Select Netwrk > VPN > IPSec VPN, under the P1 Prpsal tab, click New. Prpsal Name: Branch_t_Headquarter_P1 Authenticatin: Pre-share Hash: SHA Encryptin: 3DES 2. Cnfiguring P2 prpsal fr IPSec SA Select Netwrk > VPN > IPSec VPN, under the P2 Prpsal tab, click New. Prpsal Name: Branch_t_Headquarter_P2 Authenticatin: ESP Hash: SHA Encryptin: 3DES 3. Cnfiguring VPN peer Select Netwrk > VPN > IPSec VPN, under the VPN Peer List tab, click New. Name: Branch_t_Headquarter Interface: ethernet0/2 Mde: Main Type: Static IP Peer IP: Prpsal 1:Branch_t_Headquarter_P1 Pre-share Key: Cnfiguring IKE VPN Select Netwrk > VPN > IPSec VPN, under the IKE VPN List tab, click New. Peer Name: Branch_t_Headquarter Tunnel Name: Tunnel Mde: tunnel P2 Prpsal: Branch_t_Headquarter_P2 35 Cnnectin between Tw Private Netwrks Using IPSec VPN

39 StneOS Ckbk Step 4: Creating tunnel interface Select Netwrk > Interface, and click New > Tunnel Interface. Basic Name: 1 Zne: untrust Tunnel Binding Tunnel Type: IPSec VPN VPN Name: Tunnel Step 5: Cnfiguring rute Select Netwrk > Ruting > Destinatin Ruting, and click New. Destinatin: Subnet Mask: 24 Next Hp: Interface Interface: tunnel1 Step 6: Results Use PC1 in the headquarters t ping PC2 in the branch. It wrks. Step 7: Check if IPSec VPN tunnel has been established G t Netwrk > VPN > IPSec VPN, and click IPSec VPN Mnitr n the tp right crner, under the <ISAKMP SA> tab and under the IPSec SA tab, yu will see the status f the tunnel. Cnnectin between Tw Private Netwrks Using IPSec VPN 36

40 StneOS Ckbk Allwing Remte Users t Access a Private Netwrk Using SSL VPN This example shws hw t use SSL VPN t prvide remte users with access t crprate internal netwrk. The tplgy describes a remte user trying t visit the internal server within a crprate. Using SSL VPN tunnel, the cnnectin between remte users and private server is encrypted and safe. Step 1: Creating lcal user Select Object > User. In the Lcal User tab, under Lcal Server, click New > User. Name: user1 Passwrd: Cnfirm Passwrd: Allwing Remte Users t Access a Private Netwrk Using SSL VPN 37

41 StneOS Ckbk Step 2: Cnfiguring SCVPN address pl Select Netwrk > VPN > SSL VPN, and click Address Pl. In the prmpt, click New. Address Pl Name: pl1 Start IP: End IP: Mask: DNS1: WINS1: Step 3: Creating tunnel interface Select Netwrk > Zne, and click New. Zne: VPN Type: Layer 3 Zne Select Netwrk > Interface, and click New > Tunnel Interface. Interface Name: tunnel1 Binding Zne: Layer 3 Zne Zne: VPN Type: Static IP IP Address: Netmask: 24 Nte: Tunnel interface must be f the same netwrk segment f SSL VPN address pl. 38 Allwing Remte Users t Access a Private Netwrk Using SSL VPN

42 StneOS Ckbk Step 4: Cnfiguring SCVPN Select Netwrk > VPN > SSL VPN, and click New. In the Name/Access User tab: SSL VPN Name: ssl1 AAA Server: select lcal, and click Add In the Interface tab: Egress Interface 1: ethernet0/5 Service prt: 4433 Tunnel Interface: tunnel1 Address Pl: pl1 In the Tunnel Rute tab: IP: Netmask: Tunnel rute must be f the same netwrk segment f internal server ("Server1") Step 5: Creating plicy frm VPN t any Select Plicy > Security Plicy, and click New. Name: plicy Surce Infrmatin Zne: VPN Address: Any Destinatin Infrmatin Zne: trust Address: Any Other Infrmatin Service/Service Grup: Any Actin: Permit Allwing Remte Users t Access a Private Netwrk Using SSL VPN 39

43 StneOS Ckbk Step 6: Results After cnfiguratin, the remte user enters address " in a brwser. The brwser will shw lgin page. Enter username and passwrd ("user1" and "123456"). The brwser will prmpt t hint yu t dwnlad the VPN client. Fllw the steps t dwnlad and install the scvpn client. The remte user click pen the Hillstne Secure Cnnect client, and enter infrmatin belw: Server: Prt: 4433 Username: user1 Passwrd: When the icn in the taskbar becmes green, the client is cnnected. Then, the remte user access the internal server via SSL VPN. 40 Allwing Remte Users t Access a Private Netwrk Using SSL VPN

44 StneOS Ckbk Using an ios/andrid Device t Remtely Access Intranet Services This example intrduces hw t use an ios/andrid device t remtely access the resurces in the private netwrk. In the tplgy belw, a remte user lcated in the Internet uses an ios/andrid device t access the intranet server Server1. The authenticatin methd requires username and passwrd, and the cnnectin is based n SSL VPN. Please first see step 1 t 5 in "Allwing Remte Users t Access a Private Netwrk Using SSL VPN" n Page 37 t create a SSL VPN instance. Using an ios Device t Remtely Access Intranet Services Step 1: Dwnlading and installing Hillstne BYOD Client In APP Stre, search Hillstne BYOD Client, click Get t dwnlad and install this applicatin. Using an ios/andrid Device t Remtely Access Intranet Services 41

45 StneOS Ckbk Step 2: Cnnecting t the device Click the HBC icn in the ios desktp. In the lgin page: Cnnectin: cnnectin1 Server: Prt: 4433 Accunt: user1 Passwrd: Click Lgin. The client starts t cnnect t the server. Step 3: Installing the VPN cnfiguratin prfile In the Install Prfile dialg, click Install t install the VPN cnfiguratin prfile. 42 Using an ios/andrid Device t Remtely Access Intranet Services

46 StneOS Ckbk Step 3: Installing the VPN cnfiguratin prfile In the Unsigned Prfile dialg, click Install Nw t start the installing. Enter yur passcde. Click Dne. Using an ios/andrid Device t Remtely Access Intranet Services 43

47 StneOS Ckbk Step 4: Creating a VPN cnnectin In ios, select Settings > VPN. In the CHOOSE A CONFIGURATION list, select cnnectin1. Turn n the VPN switch. ios cnnects t the VPN. Step 5: Verifying the cnnectin status. When the VPN status is Cnnected and the Cnnectin tab f the client displays Cnnected, the client successfully establishes VPN cnnectin t the device. 44 Using an ios/andrid Device t Remtely Access Intranet Services

48 StneOS Ckbk Step 5: Verifying the cnnectin status. Step 6: Accessing intranet services Use the ios device t visit Server1. Using an Andrid Device t Remtely Access Intranet Services Step 1: Dwnlading and installing Hillstne Secure Cnnect Visit Ggle Play t dwnlad and install Hillstne Secure Cnnect VPN. Using an ios/andrid Device t Remtely Access Intranet Services 45

49 StneOS Ckbk Step 4: Creating a VPN cnnectin In Andrid, click the Hillstne Secure Cnnectin icn: Server: Prt: 4433 Accunt: user1 Passwrd: Click Lgin. After the VPN cnnectin is established successfully, the key icn will appear at the ntificatin area f yur Andrid system. Step 6: Accessing intranet services Use the Andrid device t visit Server1. 46 Using an ios/andrid Device t Remtely Access Intranet Services

50 StneOS Ckbk Allwing Remte Users t Access a Private Netwrk Using L2TP ver IPSec VPN This example shws hw t use L2TP ver IPSec VPN t prvide remte users with access t crprate internal netwrk. The tplgy is shwn as belw. A remte user, lcated at hme r a htel, accesses the Internet thrugh a ruter with NAT enabled. This remte user uses L2TP ver IPSec VPN t visit the server (PC1) in the crprate internal netwrk. And this server is prtected by the device A. *Due t lab envirnment, use /24 t represent the public netwrk segment. The cnfiguratin prcess cnsists f five parts: Cnfigure basic settings Cnfigure IPSec VPN Cnfigure L2TP VPN Set up a VPN cnnectin in Windws Adjust whether t use IPSec fr L2TP VPN Cnfiguring Basic Settings In device A, cnfigure the fllwing settings: Step 1: Cnfiguring an interface Cnfiguring the interface cnnected t the intranet Select Netwrk > Interface, and duble-click ethernet0/1. Binding Zne: Layer 3 Zne Zne: dmz Type: Static IP IP Address: Netmask: Keep the default f ther parameters Allwing Remte Users t Access a Private Netwrk Using L2TP ver IPSec VPN 47

51 StneOS Ckbk Step 1: Cnfiguring an interface Cnfiguring the interface cnnected t Internet Select Netwrk > Interface, and duble-click ethernet0/2. Binding Zne: Layer 3 Zne Zne: untrust Type: Static IP IP Address: Netmask: Keep the default f ther parameters Cnfiguring the tunnel interface. Select Netwrk > Interface > New > Tunnel Interface. Interface name: tunnel1 Binding Zne: Layer 3 Zne Zne: trust IP Address: Netmask: Keep the default f ther parameters 48 Allwing Remte Users t Access a Private Netwrk Using L2TP ver IPSec VPN

52 StneOS Ckbk Step 2: Cnfiguring a security plicy Cnfigure a security plicy that allws the traffic t flw frm the Trust zne where the tunnel interface lcates t the DMZ zne where the internal server lcates. Select Plicy > Security Plicy > New. Name: trust_t_dmz Surce Zne: trust Address: Any Destinatin Zne: dmz Address: Any Other Service/Service Grup: Any Actin: Permit Cnfiguring IPSec VPN In device A, cnfigure the fllwing settings: Allwing Remte Users t Access a Private Netwrk Using L2TP ver IPSec VPN 49

53 StneOS Ckbk Step 1: Creating a P1 prpsal and a P2 prpsal Click Netwrk > VPN > IPSec VPN. In the P1 Prpsal tab, click New. Prpsal Name: p1frl2tp Authenticatin: Pre-share Hash: SHA Encryptin: 3DES DH Grup: Grup2 Lifetime: In the P2 Prpsal tab, click New. Prpsal Name: p2frl2tp Prtcl: ESP HASH: SHA Encryptin: 3DES Cmpressin: Nne PFS Grup: N PFS Lifetime: Lifesize: Enable Lifesize: Allwing Remte Users t Access a Private Netwrk Using L2TP ver IPSec VPN

54 StneOS Ckbk Step 2: Cnfiguring a VPN peer Click Netwrk > VPN > IPSec VPN. In the VPN Peer List tab, click New. In the Basic tab, cnfigure the fllwing settings: Name: tclient Interface: ethernet0/2 Mde: Main Type: User Grup AAA Server: lcal Prpsal1: p1frl2tp Pre-shared Key: hillstne In the Advanced tab, cnfigure the fllwing settings: NAT Traversal: Enable Any Peer ID: Enable Keep the default f ther parameters Step 3: Cnfiguring IKE VPN Click Netwrk > VPN > IPSec VPN. In the IKE VPN List tab, click New. In the Basic tab, cnfigure the fllwing settings: Peer Peer Name: tclient Tunnel Name: tclienttunnel Mde: transprt P2 prpsal: p2frl2tp In the Advanced tab, cnfigure the fllwing settings: Accept-all-prxy-ID: Enable Keep the default f ther parameters Cnfiguring L2TP VPN In device A, cnfigure the fllwing settings: Allwing Remte Users t Access a Private Netwrk Using L2TP ver IPSec VPN 51

55 StneOS Ckbk Step 1: Creating a L2TP pl Select Netwrk > VPN > L2TP VPN > Address Pl. In the Address Pl dialg, click New. Address Pl Name: pl1 Start IP: End IP: Step 2: Adding a user in the 'lcal' AAA server Select Object > User > Lcal User > New > User. Name: user1 Passwrd: hillstne Cnfirm Passwrd: hillstne Step 3: Cnfiguring a L2TP VPN instance Select Netwrk > VPN > L2TP VPN > New. In the Name/Access User tab, cnfigure the fllwing settings: L2TP VPN Name: l2tpinstance1 AAA Server: lcal Click Add In the Interface/Address Pl/IPSec Tunnel tab, cnfigure the fllwing settings: Egress Interface: ethernet0/2 Tunnel Interface: tunnel1 Address Pl: pl1 L2TP ver IPSec: tclienttunnel Setting up a VPN Cnnectin The steps f setting up a VPN cnnectin differ in different Windws perating systems. Take Windws 7 and Windws XP/2003 fr example. 52 Allwing Remte Users t Access a Private Netwrk Using L2TP ver IPSec VPN

56 StneOS Ckbk Steps f setting up a VPN cnnectin in Windws XP/2003 Set up a cnnectin: 1. In Cntrl Panel, duble-click Netwrk Cnnectins. 2. Frm the Netwrk Tasks pane, Click Create a new cnnectin. The New Cnnectin Wizard dialg appears 3. In the pp-up dialg, click Next. 4. Select Cnnect t the netwrk at my wrkplace. Then click Next. 5. Select Virtual Private Netwrk cnnectin. Then click Next. 6. Enter a name fr this cnnectin in the Cmpany Name text bx: L2TPverIPSec. Then click Next. 7. Enter the IP address f the VPN server: Then click Next. 8. Click Finish. Allwing Remte Users t Access a Private Netwrk Using L2TP ver IPSec VPN 53

57 StneOS Ckbk Steps f setting up a VPN cnnectin in Windws XP/2003 Cnfigure the Security prperties f this cnnectin: 1. After yu have cmpleted the new cnnectin wizard, the Cnnect L2TPverIPSec dialg appears. 2. Click Prperties. The L2TPverIPSec Prperties dialg appears. 3. Select the Security tab. 4. Select Advanced (custm settings). Then click Settings. The Advanced Security Settings dialg appears. 5. In the Data encryptin drp-dwn menu, select Optinal encryptin (cnnect even if n encrypting). 6. In the Lgn security sectin, select Allw these prtcls. 7. Cntinue t select Unencrypted passwrd (PAP) and Challenge Handshake Authenticatin Prtcl (CHAP). 8. Click OK t clse the Advanced Security Settings dialg and return t the L2TPverIPSec Prperties dialg. 9. Click IPSec Settings. 10. Select Use pre-shared key fr authenticatin and enter the pre-shared key hillstne. 11. Click OK t clse the IPSec Settings dialg. 54 Allwing Remte Users t Access a Private Netwrk Using L2TP ver IPSec VPN

58 StneOS Ckbk Steps f setting up a VPN cnnectin in Windws XP/2003 Cnfigure the Netwrking prperties f this cnnectin: 1. In the L2TPverIPSec Prperties dialg, select the Netwrking tab. 2. In the Type f VPN drp-dwn menu, select L2TP IPSec VPN. 3. Ensure that yu have select the Internet Prtcl (TCP/IP) check bx. 4. Click OK t save the cnfiguratins. Cnnect t the L2TPverIPSec VPN: 1. Find the L2TPverIPSec cnnectin and dubleclick it. 2. Enter the user name: user1 3. Enter the passwrd: hillstne 4. Click Cnnect. 5. After the cnnectin is successful, yu can visit the internal server Allwing Remte Users t Access a Private Netwrk Using L2TP ver IPSec VPN 55

59 StneOS Ckbk Steps f setting up a VPN cnnectin in Windws 7 Set up a cnnectin: 1. Select Cntrl Panel > Netwrk and Internet > Netwrk and Sharing Center. 2. Click Set up a new cnnectin r netwrk. 3. In the pp-up dialg, select Cnnect t a wrkplace. Then click Next. 4. Select Use my Internet cnnectin (VPN). 5. Enter the IP address f the VPN server: Enter the destinatin name: L2TPverIPSec 7. Select Dn't cnnect nw; just set it up s I can cnnect later. Then click Next. 8. Enter the username: user1 9. Enter the passwrd: hillstne 10. Click Creat. 11. After the cnnectin is ready t use, click Clse. 56 Allwing Remte Users t Access a Private Netwrk Using L2TP ver IPSec VPN

60 StneOS Ckbk Steps f setting up a VPN cnnectin in Windws 7 Cnfigure the Security prperties f this cnnectin: 1. In the Netwrk and Sharing Center, click Change adapter settings. 2. Find the L2TPverIPSec cnnectin and rightclick it. 3. In the pp-up menu, select Prperties. The L2TPverIPSec Prperties dialg appears. 4. Select the Security tab. 5. In the Type f VPN drp-dwn menu, select Layer 2 Tunneling Prtcl with IPsec (L2TP/IPSec). 6. Click Advanced settings, select Use preshared key fr authenticatin, then enter the key hillstne. 7. In the Data encryptin drp-dwn menu, select Optinal encryptin (cnnect even if n encryptin). 8. In the Authenticatin sectin, select Allw these prtcls and then select Unencrypted passwrd (PAP) and Challenge Handshank Authenticatin Prtcl (CHAP). Cnfigure the Netwrking prperties f this cnnectin: 1. In the L2TPverIPSec Prperties dialg, select the Netwrking tab. 2. Ensure that yu have select the Internet Prtcl Versin 4 (TCP/IPv4) check bx. 3. Click OK t save the cnfiguratins. Allwing Remte Users t Access a Private Netwrk Using L2TP ver IPSec VPN 57

61 StneOS Ckbk Steps f setting up a VPN cnnectin in Windws 7 Cnnect t the L2TPverIPSec VPN: 1. Find the L2TPverIPSec cnnectin and dubleclick it. 2. Enter the passwrd: hjllstne 3. Click Cnnect. 4. After the cnnectin is successful, yu can visit the intranet server Adjusting Whether t Use IPSec fr L2TP VPN By default, the L2TP VPN is required by Windws t use IPSec. Fr the abve L2TP ver IPSec VPN, yu d nt need t mdify the system's registry. If the system has disabled IPSec, take the fllwing steps t make the system use L2TP ver IPSec: Enable IPSec 1. Select Start > Run. 2. In Run, enter regedit. 3. Click OK 4. Navigate t HKEY_Lcal_Machine\System\CurentCntrl Set\Services\RasMan\Parameters. 5. In the right pane, find the entry PrhibitIPSec whse type is REG_DWORD. 6. Duble-click this entry and mdify the value in the Value data text bx t 0. 0 represents that the system enables IPSec. 1 represents that the system disables IPSec. 7. Save the mdificatins and restart the system. 58 Allwing Remte Users t Access a Private Netwrk Using L2TP ver IPSec VPN

62 StneOS Ckbk Cnnectin between Tw Private Netwrks Using GRE ver IPSec VPN This example intrduces hw t create GRE ver IPSec VPN t prtect the cmmunicatin between the private netwrk f the headquarters and the private netwrk f the branch. The tplgy is shwn as belw. Device A acts as the gateway f the headquarters and device B acts as the gateway f the branch. T prtect the cmmunicatin between tw private netwrks, use GRE ver IPSec VPN. *Due t lab envirnment, use /22 t represent the public netwrk segment. The cnfiguratin prcess cnsists f five parts: Cnfigure basic settings Cnfigure IPSec VPN Cnfigure GRE VPN Cnfigure rute and plicies Cnfiguring Basic Settings Step 1: Cnfiguring interfaces fr device A Cnfiguring the interface cnnected t the intranet Select Netwrk > Interface, and duble-click ethernet0/0. Binding Zne: Layer 3 Zne Zne: trust Type: Static IP IP Address: Netmask: Keep the default f ther parameters Cnnectin between Tw Private Netwrks Using GRE ver IPSec VPN 59

63 StneOS Ckbk Step 1: Cnfiguring interfaces fr device A Cnfiguring the interface cnnected t Internet Select Netwrk > Interface, and duble-click ethernet0/1. Binding Zne: Layer 3 Zne Zne: untrust Type: Static IP IP Address: Netmask: Keep the default f ther parameters Cnfiguring the tunnel interface. Select Netwrk > Interface > New > Tunnel Interface. Interface name: tunnel1 Binding Zne: Layer 3 Zne Zne: trust IP Address: Netmask: Keep the default f ther parameters Step 2: Cnfiguring interfaces fr device B Cnfiguring the interface cnnected t the intranet Select Netwrk > Interface, and duble-click ethernet0/4. Binding Zne: Layer 3 Zne Zne: trust Type: Static IP IP Address: Netmask: Keep the default f ther parameters 60 Cnnectin between Tw Private Netwrks Using GRE ver IPSec VPN

64 StneOS Ckbk Step 2: Cnfiguring interfaces fr device B Cnfiguring the interface cnnected t Internet Select Netwrk > Interface, and duble-click ethernet0/1. Binding Zne: Layer 3 Zne Zne: untrust Type: Static IP IP Address: Netmask: Keep the default f ther parameters Cnfiguring the tunnel interface. Select Netwrk > Interface > New > Tunnel Interface. Interface name: tunnel1 Binding Zne: Layer 3 Zne Zne: trust IP Address: Netmask: Keep the default f ther parameters Cnnectin between Tw Private Netwrks Using GRE ver IPSec VPN 61

65 StneOS Ckbk Cnfiguring IPSec VPN Step 1: Cnfiguring IPSec VPN fr device A Create a P1 prpsal and a P2 prpsal. Click Netwrk > VPN > IPSec VPN. In the P1 Prpsal tab, click New. Prpsal Name: p1frgre Authenticatin: Pre-share Hash: SHA Encryptin: 3DES DH Grup: Grup2 Lifetime: In the P2 Prpsal tab, click New. Prpsal Name: p2frl2tp Prtcl: ESP HASH: SHA Encryptin: 3DES Cmpressin: Nne PFS Grup: N PFS Lifetime: Cnfigure a VPN peer. Click Netwrk > VPN > IPSec VPN. In the VPN Peer List tab, click New. In the Basic tab, cnfigure the fllwing settings: Name: center2branch1_ipsec Interface: ethernet0/1 Mde: Main Type: Static IP Peer IP: Prpsal1: p1frgre Pre-shared Key: hillstne Keep the default f ther parameters 62 Cnnectin between Tw Private Netwrks Using GRE ver IPSec VPN

66 StneOS Ckbk Step 1: Cnfiguring IPSec VPN fr device A Cnfigure IKE VPN. Click Netwrk > VPN > IPSec VPN. In the IKE VPN List tab, click New. In the Basic tab, cnfigure the fllwing settings: Peer Peer Name: center2branch1_ipsec Tunnel Name: center2branch1_ipsec_tunnel Mde: tunnel P2 prpsal: p2frgre Keep the default f ther parameters Step 2: Cnfiguring IPSec VPN fr device B Create a P1 prpsal and a P2 prpsal. Click Netwrk > VPN > IPSec VPN. In the P1 Prpsal tab, click New. Prpsal Name: p1frgre Authenticatin: Pre-share Hash: SHA Encryptin: 3DES DH Grup: Grup2 Lifetime: In the P2 Prpsal tab, click New. Prpsal Name: p2frgre Prtcl: ESP HASH: SHA Encryptin: 3DES Cmpressin: Nne PFS Grup: N PFS Lifetime: Cnnectin between Tw Private Netwrks Using GRE ver IPSec VPN 63

67 StneOS Ckbk Step 2: Cnfiguring IPSec VPN fr device B Cnfigure a VPN peer. Click Netwrk > VPN > IPSec VPN. In the VPN Peer List tab, click New. In the Basic tab, cnfigure the fllwing settings: Name: tcenter_ipsec Interface: ethernet0/1 Mde: Main Type: Static IP Peer IP: Prpsal1: p1frgre Pre-shared Key: hillstne Keep the default f ther parameters Cnfigure IKE VPN. Click Netwrk > VPN > IPSec VPN. In the IKE VPN List tab, click New. In the Basic tab, cnfigure the fllwing settings: Peer Peer Name: tcenter_ipsec Tunnel Name: tcenter_ipsec_tunnel Mde: tunnel P2 prpsal: p2frgre Keep the default f ther parameters Cnfiguring GRE VPN GRE VPN cnfiguratins are nt supprted by WebUI. Yu need t use CLI t cmplete the fllwing GRE VPN cnfiguratins. 64 Cnnectin between Tw Private Netwrks Using GRE ver IPSec VPN

68 StneOS Ckbk Step 1: Cnfiguring GRE VPN fr device A Create a GRE tunnel. 1. In the glbal cnfiguratin mde, create a GRE tunnel: tunnel gre center2branch1 2. Specify the surce IP address f the tunnel: surce Specify the destinatin IP address f the tunnel: destinatin Specify the egress interface f the tunnel: interface ethernet0/1 5. Specify the IPSec VPN tunnel: next-tunnel ipsec center2branch1_ipsec_tunnel Bind the GRE tunnl t the tunnel interface. 1. Enter the interface cnfiguratin mde f tunnel1: int tunnel1 2. Bind the GRE tunnel: tunnel gre center2branch1 Step 2: Cnfiguring GRE VPN fr device B Create a GRE tunnel. 1. In the glbal cnfiguratin mde, create a GRE tunnel: tunnel gre branch1 2. Specify the surce IP address f the tunnel: surce Specify the destinatin IP address f the tunnel: destinatin Specify the egress interface f the tunnel: interface ethernet0/1 5. Specify the IPSec VPN tunnel: next-tunnel ipsect_center_tunnel Cnnectin between Tw Private Netwrks Using GRE ver IPSec VPN 65

69 StneOS Ckbk Step 2: Cnfiguring GRE VPN fr device B Bind the GRE tunnl t the tunnel interface. 1. Enter the interface cnfiguratin mde f tunnel1: int tunnel1 2. Bind the GRE tunnel: tunnel gre branch1 Cnfiguring Rute and Plicies Step 1: Cnfiguring rute and plicies fr device A Cnfigure rutes. Select Netwrk > Ruting > Destinatin Rute. Click New. Destinatin: Subnet Mask: Next Hp: Interface Interface: tunnel1 Keep the default f ther parameters Cnfigure a security plicy that allws the traffic t flw frm the Trust zne where the tunnel interface lcates t the Trust zne where the internal server lcates. Select Plicy > Security Plicy. Click New. Name: trust_t_trust Surce Zne: trust Address: Any Destinatin Zne: trust Address: Any Other Service/Service Grup: Any Actin: Permit 66 Cnnectin between Tw Private Netwrks Using GRE ver IPSec VPN

70 StneOS Ckbk Step 2: Cnfiguring rute and plicies fr device B Cnfigure rutes. Select Netwrk > Ruting > Destinatin Rute. Click New. Destinatin: Subnet Mask: Next Hp: Interface Interface: tunnel1 Keep the default f ther parameters Cnfigure a security plicy that allws the traffic t flw frm the Trust zne where the tunnel interface lcates t the Trust zne where the internal server lcates. Select Plicy > Security Plicy > New. Name: trust_t_trust Surce Zne: trust Address: Any Destinatin Zne: trust Address: Any Other Service/Service Grup: Any Actin: Permit Step 3: Verifying the cnnectin between tw private netwrks After cmpleting the abve steps, the headquarters and branch can visit each ther. Cnnectin between Tw Private Netwrks Using GRE ver IPSec VPN 67

71 StneOS Ckbk High Availability High Availability is a redundancy backup methhd. It uses tw identical devices t ensure that when ne fails t wrk, the ther will immediately takes ver t prvide netwrk cnsistency. This chapter includes the fllwing recipe: " Ensuring Uninterrupted Cnnectin Using HA" n Page 69 High Availability 68

72 StneOS Ckbk Ensuring Uninterrupted Cnnectin Using HA This example intrduces hw t cnfigure tw devices wrking under Active-Passive mde t prvide high availability fr the prtected netwrk. The tplgy gives a typical user scenari fr HA. In the designed scenari, ne (Device A)f the HA devices will be wrking under the active mde, while the ther (Device B) is under passive mde. The active device will synchrnize its data and status t the passive device. When the active ne fails, the passive device will immediately switch t be active, withut interrupting the netwrk. Step 1: Cnfiguring track bject f Device A. This mnitrs Device A's eth0. When A's interface fails t wrk, Device B takes ver. Select Object > Track Object, and click New. Name: track1 Threshld: 255 Track Type: Select Interface, and click Add. In the prmpt, select ethernet0/0, and weight as 255. Ensuring Uninterrupted Cnnectin Using HA 69

73 StneOS Ckbk Step 2: Cnfiguring HA Device A Select System > HA, under the Grup0 part: Pririty: 10 Track Object: track1 Device B Select System > HA, under the Grup0 part: Pririty: 100 Step 3: Cnfiguring Device A's interface and plicy Select Netwrk > Interface, and duble click ethernet0/0. Binding Zne: Layer 3 Zne Zne: untrust Type: Static IP IP Address: Netmask: Ensuring Uninterrupted Cnnectin Using HA

74 StneOS Ckbk Step 3: Cnfiguring Device A's interface and plicy Select Netwrk > Interface, and duble click ethernet0/1. Binding Zne: Layer 3 Zne Zne: trust Type: Static IP IP Address: Netmask: 29 Select Plicy > Security Plicy, and click New. Name: plicy Surce Infrmatin Zne: trust Address: Any Destinatin Infrmatin Zne: untrust Address: Any Other Infrmatin Service/Server Grup: Any Actin: Permit Step 4: Cnfiguring HA cntrl link interface and enabling HA Device A Select System > HA. Cntrl Link Interface 1:ethernet0/4 Cntrl Link Interface 2:ethernet0/8 IP Address: /24 HA Cluster ID: 1 Ensuring Uninterrupted Cnnectin Using HA 71

75 StneOS Ckbk Step 4: Cnfiguring HA cntrl link interface and enabling HA Device B Select System > HA. Cntrl Link Interface 1:ethernet0/4 Cntrl Link Interface 2:ethernet0/8 IP Address: /24 HA Cluster ID: 1 Step 5: Cnfiguring management IP f active and passive devices after synchrnizatin Device A Select Netwrk > Interface, and duble click ethernet0/1. Under the Basic tab, under IP Cnfiguratin, click Advanced. Management IP IP Address: Device B Select Netwrk > Interface, and duble click ethernet0/1. In the Basic tab, under IP Cnfiguratin, click Advanced. Management IP IP Address: Step 6: Results After cnfiguratin, select System > System Infrmatin. Behind the "HA state" item, the device's HA status will shw. Device A HA Status: Master Device B Device A: Device B: HA Status: Backup 72 Ensuring Uninterrupted Cnnectin Using HA

76 StneOS Ckbk Step 6: Results When Device A fails t frward traffic r its eth0/0 is discnnected, Device B will turn t Active and starts frwarding withut interrupting prtected netwrk. Select System > System Infrmatin. The HA state item shws device's status. Device A: Device B: Device A HA Status: Mnitr Failed Device B HA Status: Master Ensuring Uninterrupted Cnnectin Using HA 73

77 StneOS Ckbk Quality f Service (QS) QS adpts the cncept "pipe" t indicate traffic cntrl methd. A pipe is a bandwidth limit. The system divides bandwidth by creating pipe f different sizes. This chapter cntains the fllwing recipe: " QS Cntrl" n Page 75 Quality f Service (QS) 74

78 StneOS Ckbk QS Cntrl This examples shws hw t cntrl Internet bandwidth allcatin t different users and applicatins. The key feature that applies in this situatin is 2-Stage QS flw cntrl. As shwn in the tplgy belw, a cmpany f 155 MB Internet bandwidth has a 2-Stage QS requirement: In 1st Stage QS: Within the 155 Mbps bandwidth, 40 Mbps will be allcated t Department A, 40 Mbps t Department B, and the remaining 75 Mbps will be shared by all emplyees. In 2nd Stage QS: The ttal P2P flw is limited t 10 Mbps, in which dwnlading is limited t 2 Mbps, streaming vide is limited t 8 Mbps, and within the vide bandwidth, Yuku streaming is limited t 6 Mbps. Step 1: Creating address entries fr Dept. A and Dept. B Select Object > Address Entry, and click New. Name: DeptA Member: select IP Range, and enter " " and " " and click Add. QS Cntrl 75

79 StneOS Ckbk Step 1: Creating address entries fr Dept. A and Dept. B Create anther address entry: Name: DeptB Member: select IP Range, and enter " " and " " and click Add. Step 2: Create a rt pipe f 155 Mbps under Level-1 Cntrl Select Plicy > QS, click Level-1 Cntrl, and click New > Pipe. Pipe Name: TtalBW In the same tab, click New. Surce Infrmatin Interface: ethernet0/2 Under the Actin tab: Frward Pipe Bandwidth: Kbps Backward Pipe Bandwidth: Kbps 76 QS Cntrl

80 StneOS Ckbk Step 3: Creating sub-pipes fr tw departments belw rt pipe Select rt pipe "TtalBW"and click New. Pipe Name: pipea Click New, and under Surce Infrmatin, select "DeptA" as Address. Click the Actin tab: Frward: Bandwidth: min: Kbps; max: Kbps Backward Bandwidth: min:40000 Kbps; max: Kbps Use the same steps t create "pipe B": Pipe name: pipeb Surce address: DeptB (Frward and Backward) min bandwidth: kbps (Frward and Backward) max bandwidth: kbps Step 4: Creating rt pipe "p2p" under Level-2 cntrl t limit P2P ttal t 10 Mbps Select Plicy > QS, select Level-2 Cntrl and click New > Pipe. Pipe Name: p2p QS Cntrl 77

81 StneOS Ckbk Step 4: Creating rt pipe "p2p" under Level-2 cntrl t limit P2P ttal t 10 Mbps In the same tab, click New. Surce Infrmatin Interface: ethernet0/2 Other APP/APP Grup: P2P. P2P_Stream Under the Actin tab: Frward Bandwidth: kbps Backward: Bandwidth: kbps 78 QS Cntrl

82 StneOS Ckbk Step 5: Creating sub pipes under rt pipe "p2p" 1. Creating a sub-pipe t limit p2p sftware Under Level-2 Cntrl, select rt pipe "p2p", and click New > Pipe. Pipe Name: p2p_sft Click New: in the prmpt, select P2P as APP/APP Grup. Select the Actin tab: Frward bandwidth: min: 32; max 2000 Backward bandwidth: min: 32; max: Creating a sub-pipe t limit p2p vide streaming Under Level-2 Cntrl, select rt pipe "p2p", and click New > Pipe. Pipe Name: p2p_stream Click New: in the prmpt, select P2P_Stream as APP/APP Grup. Select the Actin tab: Frward bandwidth: min: 32; max 8000 Backward bandwidth: min: 32; max: Creating a sub-pipe t limit p2p vide streaming Under Level-2 Cntrl, select sub pipe "p2p_stream", and click New > Pipe. Pipe Name: p2p_stream Click New: in the prmpt, select Yuku and Yuku_ Stream as APP/APP Grup. Select the Actin tab: Frward bandwidth: min: 32; max 6000 Backward bandwidth: min: 32; max: 6000 QS Cntrl 79

83 StneOS Ckbk Threat Preventin Threat preventin, that device can detect and blck netwrk threats ccur. By cnfiguring the threat prtectin functin, Device can defense netwrk attacks, and reduce lsses caused by internal netwrk. This chapter includes the fllwing recipes: "Prtecting Internal Servers t Defend Attack via Abnrmal Behavir Detectin" n Page 81 "Finding Malware Attacks via Advanced Threat Detectin" n Page 86 "Frensic Analysis " n Page 90 Threat Preventin 80

84 StneOS Ckbk Prtecting Internal Servers t Defend Attack via Abnrmal Behavir Detectin This example intrduces hw t use Abnrmal Behavir Detectin t find attacks abut servers as early as pssible, and integrate with Mitigatin t prtect servers better. As shwn in the tplgy, the device is deplyed in the data center exit. After enable and cnfigure the Abnrmal Behavir Detectin, when a Web server is infected by scanning attack frequently, a mail server is infected by DS attacks peridically, the administratr can find these attacks and prtect the internal hsts and servers. * T use Abnrmal Behavir Detectin, apply and install the StneShield license. Step1: Enabling Abnrmal Behavir Detectin t defend internal hsts Select Netwrk > Zne. Select 'trust' zne, click Edit, and select the <Threat Prtectin>tab. Abnrmal Behavir Detectin: Select the Enable check bx. System will generate a Abnrmal Behavir Detectin bject which IP is and prtect the verall netwrk under this zne. Hst Defender : Select the Hst Defender check bx, System will generate a Abnrmal Behavir Detectin bject which type is hst. Step2: Cnfiguring the Abnrmal Behavir Detectin bject (Web Server and Mail Server) Select Netwrk > Zne. Select 'dmz' zne, click Edit, and select the <Threat Prtectin>tab. Abnrmal Behavir Detectin: Select the Enable check bx. Prtect the verall netwrk under this zne. Prtecting Internal Servers t Defend Attack via Abnrmal Behavir Detectin 81

85 StneOS Ckbk Step2: Cnfiguring the Abnrmal Behavir Detectin bject (Web Server and Mail Server) 1.Cnfiguring the Abnrmal Behavir Detectin bject (Web Server ), and enabling the web server advanced prtectin. Click Cnfigure, and click New. Name: Web Server Type: Server IP: Web Server Advanced Prtectin: Select the check bx. 2.Cnfiguring the Abnrmal Behavir Detectin bject (Mail Server ) Click Cnfigure, and click New. Name: Mail Server Type: Server IP: Step3: Viewing the results f Abnrmal Behavir Detectin 1.Viewing the results frm icenter Results f Web Server: Select icenter>threat, click the threat name 'Web Vulnerability Scan' link in the list, and select the <Details>tab, view the Abnrmal Behavir Detectin infrmatin and the trend chart f the actual value, predictive value f the detected bject. Results f Mail Server: Click the threat name 'Cnnectin Fld' link in the list, and select the <Details>tab, view the Abnrmal Behavir Detectin infrmatin and the trend chart f the baseline, threshlds f the detected bject. 82 Prtecting Internal Servers t Defend Attack via Abnrmal Behavir Detectin

86 StneOS Ckbk Step3: Viewing the results f Abnrmal Behavir Detectin 2.Viewing the results frm threat lg 1.Select Mnitr>Lg>Threat, click Filter at the right crner. Detected By: Abnrmal Behavir Detectin 2.After click Query, will shw the lg f Abnrmal Behavir Detectin. 3.Viewing the results frm threat mnitr Select Mnitr>Threat>Summary, Hver yur muse ver the ' Scan' and 'DS' bar, t view number f threats. Results f Web Server: Select Detail frm the pp-up menu f 'Web Applicatin Scan' t view the detailed infrmatin f scanning attack. Prtecting Internal Servers t Defend Attack via Abnrmal Behavir Detectin 83

87 StneOS Ckbk Step3: Viewing the results f Abnrmal Behavir Detectin Results f Mail Server: Select Detail frm the pp-up menu f 'DS' t view the detailed infrmatin f DS attack. Step4: Integrating with Mitigatin, and cnfiguring the mitigatin rules fr attacks. Select icenter> Mitigatin> Mitigatin Rule, and select the Enable Aut Mitigatin check bx. Cnfiguring mitigatin rules fr Web Vulnerability Scan Attack In Mitigatin Rulepage, click New Lg Type: Scan Severity: Lw Value: >= 10 Time Actin Type: IP Blck Duratin: 60 Cnfiguring mitigatin rules fr Cnnectin Fld Attack In Mitigatin Rulepage, click New Lg Type: DS Severity: Lw Value: >= 10 Time Rle: Attacker Actin Type: Sessin Cntrl Sessin Type: New Sessin Ttal Number: 20 Drp Percent: 50 Duratin: Prtecting Internal Servers t Defend Attack via Abnrmal Behavir Detectin

88 StneOS Ckbk Step5:Viewing the results f aut mitigatin rules Select icenter>threat,click 'Web Vulnerability Scan' link in the list. In Detaildialg, select Mitigatintab. Select IP Blcktab in the Aut mitigatin actin sectin, t view the result f mitigatin rules. Select icenter>threat,click 'Cnnectin Fld' link in the list. In Detaildialg, select Mitigatintab. Select Sessin Cntrltab in the Aut mitigatin actin sectin, t view the result f mitigatin rules. Prtecting Internal Servers t Defend Attack via Abnrmal Behavir Detectin 85

89 StneOS Ckbk Finding Malware Attacks via Advanced Threat Detectin This example shws hw t use the Advanced Threat Detectin t detect the malicius behavir and recgnise the APT attacks, thus find malware earlier and stp the spread f its in internal netwrk. As shwn in the tplgy, the device is deplyed in the data center exit. After enable and cnfigure the Advanced Threat Detectin, when a internal hst is infected by Trjan attacks, the administratr can find and slve this attack. * T use Advanced Threat Detectin, apply and install the StneShield license. Step 1: Enabling Advanced Threat Detectin and capture packets t defend internal hsts Select Netwrk > Zne. Select "trust" zne, click Edit, and select the <Threat Prtectin>tab. Advanced Threat Detectin: Select the Enable check bx. Capture Packets: Select the check bx, the system will save the evidence messages, and supprt t dwnlad it. Finding Malware Attacks via Advanced Threat Detectin 86

90 StneOS Ckbk Step 2: Viewing the results f detectin Viewing the results frm threat lg 1. Select Mnitr>Lg>Threat, click Filterat the right crner. Threat: Malware Detected By: Advanced Threat Detectin 2. After click Query, will shw the lg f Trjan attacks. Viewing the results frm threat mnitr 1. Select Mnitr>Threat>Summary, Hver yur muse ver the ' Malware' bar, t view number f Trjan attacks. 2. Select Detail frm the pp-up menu f 'Trjan' t view the detailed infrmatin ftrjan attacks. 87 Finding Malware Attacks via Advanced Threat Detectin

91 StneOS Ckbk Step 2: Viewing the results f detectin Viewing the results frm icenter 1. Select icenter>threat, set up filters as fllws: Severity: Critical Threat Type: Malware Viewing the detected time, severity, threat map.etc 2. Click the threat name link in the list, and select the <Details>tab,t view advanced threat detectin infrmatin, malware reliability infrmatin etc. 3. Click View PCAP, t view the detail f packets. 4. Click Dwnlad PCAP, the data packets will be dwnladed t lcal. Finding Malware Attacks via Advanced Threat Detectin 88

92 StneOS Ckbk Step 3: Mark the threat status In Detail dialg, select Reslved. Reslved When the threat entry status is ' reslved ', it will nt participate in the 'Netwrk Risk Index' scre. 89 Finding Malware Attacks via Advanced Threat Detectin

93 StneOS Ckbk Frensic Analysis This feature may nt be available n all platfrms. Please check yur system's actual page t see if yur device delivers this feature. This example shws hw t in-depth view the threat f the whle netwrk and analyze the threat evidence. Frensic Analysis prvides evidence chain f netwrk threats t cllect, multi-perspective analysis and the depth f integratin. Evidence Cllectin: Thrugh the cnfiguratin f Frensic Analysis functin (packet capture), detect the attack generated at the same time evidence cllectin. Evidence Analysis: Analyze the cllected evidence. Evidence Presentatin: Display the threat details, lgs, evidence pacp via icenter, t achieve the threat f visualizatin. At present, the system nly supprts the Frensic Analysis functin f three threat detectin engines (Advanced Threat Detectin, Intrusin Preventin System, Anti Virus) Advanced Threat Detectin Enable the packet capture fr Advanced Threat Detectin, the system will capture packets when generating lgs. Select Netwrk > Zne, Select "trust" zne, click Edit, and select the <Threat Prtectin>tab. Select the Capture Packets check bx. Frensic Analysis 90

94 StneOS Ckbk Intrusin Preventin System 1. Enable the packet capture fr IPS rules, it will enable all this prfile's prtcls. Select Object>Intrusin Preventin System, click New, and select the Enable check bx t enable capture packets. 2. Accrding t yur requirements, cnfigure the capture packets fr a specific prtcl. Select Object>Intrusin Preventin System, in the IPS rules list, click prtcl type, fr example ' DHCP', select the Enable check bx t enable the capture packet fr different attack levels. Anti Virus Enable the packet capture fr Anti Virus rules. Select Object > Antivirus, click New, Select the Enable check bx befre Capture Packet t enable the capture functin. Frensic Analysis Cnfiguratin Example As fllws, taking advanced threat detectin (ATD) as an example t demnstrate the prcess f Frensic Analysis 91 Frensic Analysis

95 StneOS Ckbk Step 1: Threat Detectin Enabling Advanced Threat Detectin and capture packets Select Netwrk > Zne. Select "trust" zne, click Edit, and select the <Threat Prtectin>tab. Advanced Threat Detectin: Select the Enable check bx. Capture Packets: Select the check bx, the system will save the evidence messages, and supprt t dwnlad it. Step 2: Evidence Cllectin When ATD attacks ccurred, the system will generate a relevant threat lg and capture evidence, sent t the system database. Accrding t the surce IP, Advanced threat detectin engine capture relatinal pacp at the same time, it is the HTTP traffic data (including TCP interactin) in 5 minutes r 64K size package, and used t assist in the analysis. Step 3: Evidence Analysis 1. Analyze and get the threat detail infrmatin. 2. Cllect the analysis f evidence. Step 4: Evidence Presentatin 1. Display the threat infrmatin, including the threat name, type, severity, victim hst, attack hst, etc. Click "icenter", and select Threat tab. Frensic Analysis 92

96 StneOS Ckbk Step 4: Evidence Presentatin Click the threat name link in the list, t view the threat details. 2. Viewing the evidence details. Select the select the <Details>tab, and click View PACP. 93 Frensic Analysis

97 StneOS Ckbk Step 4: Evidence Presentatin 3. Viewing the relatinal pacp details. Select the select the <Details>tab, and click Relatinal Pacp. 4. Dwnlading evidence. Select the select the <Details>tab, and click Dwnlad Pacp, the evidence will be dwnladed t lcal. Frensic Analysis 94

98 StneOS Ckbk Internet Behavir Cntrl The Internet behavir cntrl allws yu t flexibly cnfigure cntrl rules t cmprehensively cntrl and audit (by behavir lgs) n user netwrk behavir. This chapter cntains the fllwing recipe: "Decrypt HTTPS Traffic and Identify the Encrypted Applicatin" n Page 96 Internet Behavir Cntrl 95

99 StneOS Ckbk Decrypt HTTPS Traffic and Identify the Encrypted Applicatin This example intrduces hw t decrypt HTTPS traffic and identify the encrypted applicatin, which meets the requirements f finegrained applicatin management. As shwn in the belw scenari, an internal user accesses a HTTPS website and the traffic is encrypted by SSL prtcl. With the SSL prxy and applicatin identificatin functins enabled, the device can decrypt the HTTPS traffic and identify the encrypted applicatin. Step 1: Cnfiguring a SSL prxy prfile Select Plicy > SSL Prxy, and click New. In the Basic tab: Name: prfile1 Expired certificate: Decrypt Unsupprted versin: Blck Unsupprted encryptin algrithms: Blck Client verificatin: Blck Warning: Enable Step 2: Specifying a SSL prfile in the security plicy Cnfigure a security plicy that allws internal users t access Internet, and specify a SSL prxy prfile in the Advanced tab: SSL Prxy: Select the Enable checkbx and select prfile1 frm the drp-dwn list. Decrypt HTTPS Traffic and Identify the Encrypted Applicatin 96

100 StneOS Ckbk Step 3: Imprting the device certificate t client's Web brwser Exprt the certificate frm the device. Click System > PKI. In the Management tab: Trust Dmain: trust_dmain_ssl_prxy Cntent: CA Certificate Actin: Exprt Click OK t exprt the certificate. Imprt the certificate t client's Web brwser. 1. In the Chrme Web brwser, select Settings > Shw advanced settings. 2. In the HTTPS/SSL sectin, select Manage certificates. 3. In the Trusted Rt Certificatin Authrities tab, select Imprt. 4. Fllw the wizard t imprt the certificate. Step 4: Upgrading t the prfessinal applicatin signature database and enabling the applicatin identificatin functin In CLI, execute the upgrade cmmand t upgrade t the prfessinal applicatin signature database Select Netwrk > Zne, and duble-click the untrust zne. In the Basic tab: Applicatin Identificatin: Select Enable. Step 6: Viewing applicatin mnitr Select Mnitr > Applicatin > Applicatin Details. When an internal user accesses a HTTPS website, the SSL prxy functin decrypts the HTTPS traffic and the applicatin identificatin functin identify the encrypted applicatin. 97 Decrypt HTTPS Traffic and Identify the Encrypted Applicatin