Operational User Guidance and Preparative

Transcription

1 Operational User Guidance and Preparative Procedures Pulse Secure, LLC Document Version 0.4 March 2018 Document Version Pulse Secure, LLC Page 1 of 86

2 Pulse Secure, LLC 2700 Zanker Road, Suite 200 San Jose, CA Abstract This document provides the Operational User Guidance and Preparative Procedures for the Pulse Secure Virtual. Document Version Pulse Secure, LLC Page 2 of 86

3 Table of Contents 1. Introduction Audience Purpose Document References Supported TOE Platforms Operational Environment Excluded Functionality Understanding Pulse Connect Secure/Pulse Policy Secure Management Interfaces Authentication Realm Sign-In Policies User Roles Resources Policies Commissioning the Virtual Physical Installation Initial Setup Connect Administrator Web Console Configuring External, Management Interfaces/Ports Configuring DNS Server in PCS/PPS Sync System Time Software Updates TOE Configuration Prerequisites for TOE Configurations Password Minimum Length Configuration Serial Console Access Control Configuration Terminating a Local Console Session Administrative Banner Configuration Configure GUI Inactivity Timeout Period Terminating a GUI Session Import Trusted Client CA Import Trusted Server CA Enable NDcPP Mode Configuring Syslog Server Removing Cached CRL Entry of CA Chain in PCS Delete CA Chain from Trusted Client CA Delete CA Chain from Trusted Server CA Integrate with Pulse One (Optional) Auditing Audit Log Record Audit Logs Log Sent to Remote Audit Storage Hash Functions Self-Test Security Objectives for the Operational Environment Document Version Pulse Secure, LLC Page 3 of 86

4 10 Obtaining Documentation and Submitting a Service Request Document Version Pulse Secure, LLC Page 4 of 86

5 List of Tables Table 1-1 Document References... 7 Table 1-2 Supported Platforms... 7 Table 1-3 Hardware details... 7 Table Interface Functions Table 5-1a Configuration Parameter for Event Log Table 5-1b Configuration Parameter for Event Log Table 5-2 Configuration Parameter for Admin Access Log Table 5-3a Configuration Parameter for User Access Log Table 5-3b Configuration Parameter for User Access Log Table 5-4 Configuration Parameter for Syslog Server Table 6-1 Syslog log field mapping Table 7-1 Hash functions and usage Document Version Pulse Secure, LLC Page 5 of 86

6 1. Introduction 1.1 Audience This document is written for administrators configuring the TOE, specifically the Pulse Connect Secure and Pulse Policy Secure software. To use this guide, you need a broad understanding of networks in general and the internet in particular, networking principles, and network configuration. All the Sections in the Document is written in a sequence based on what all steps administrator has to do when received a brand new Pulse Secure Device. 1.2 Purpose This document details the operational and preparative procedures for the Common Criteria evaluation. It highlights the specific TOE configuration and administration functions and interfaces that are necessary to configure and maintain the TOE in the evaluated configuration as defined in the Security Target [ST]. This document does not mandate configuration settings for the features of the TOE that are outside the evaluation scope. This document identifies the appropriate locations within Pulse Secure documentation to get the specific details for configuration and maintaining Pulse Connect Secure services. 1.3 Document References This document makes references to several Pulse Secure documents. The documents used are shown below. Reference number [REGCARD] [ADM] [POGUIDE] [PCSRN] Document Name Registration, EULA, and Tech Pubs Pulse Connect Secure Administration Guide Product Release 8.2 and Pulse Policy Secure Administration Guide Product Release 5.3 Pulse One Quick Set Up Guide Pulse Connect Secure and Pulse Policy Secure Release Notes Enclosed in appliance package Location of Document PCS Virtual PPS Virtual PCS Virtual PPS Virtual Document Version Pulse Secure, LLC Page 6 of 86

7 Reference number [NDcPP] [ST] [AGD] Document Name Network Device Collaborative Protection Profile Pulse Connect Secure and Pulse Policy Secure Security Target Operational User Guidance and Preparative Procedures (This document) Table 1-1 Document References Location of Document PCS Virtual PPS Virtual PCS Virtual PPS Virtual Supported TOE Platforms The following tables describe the appliance hardware that are included in the evaluated configuration. PLATFORM Hardware Platform Table 1-2 Supported Platforms VERSION/MODEL NUMBER Intel Xeon E v4 on Dell Power Edge R430/R530, Intel Xeon E v4 (single-user mode) The Pulse Connect Secure software runs on any one of the TOE hardware platforms. The platforms provide different amounts of processing power and network connectivity options as described below. Model Hardware Details Processor Power Edge R430/R530 Intel Xeon ES-2620 v4 (single-user mode) Table 1-3 Hardware details 1.5 Operational Environment The TOE supports the following hardware and software components in its operational environment. Each component is identified as being required or not based on the claims made in the [ST]. 1. Virtual (VA) console The TOE supports VA console access for device configuration. 2. TLS Client (Web Admin Interface) The TOE supports Web Admin Interface, also referred to as Administrator Web Console. o Internet Explorer 11, Google Chrome 50, or Firefox 38 Document Version Pulse Secure, LLC Page 7 of 86

8 o o Supporting TLSv1.1 and/or TLSv1.2 Supporting at least one of the following ciphersuites: TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_256_CBC_ SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA Syslog server 4. The syslog audit server is used for remote storage of audit records that have been generated by and transmitted from the TOE. o Conformant with RFC 5424 (Syslog Protocol) o Supporting Syslog over TLS (RFC 5425) o Acting as a TLSv1.1 and/or TLSv1.2 server o o Supporting Client Certificate authentication Supporting at least one of the following cipher suites: TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_256_CBC_ SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA The TOE supports communications with an external CRL to verify client certificates. CRL Server is required to be conformant with RFC \ 6. Pulse One (optional) The TOE optionally can be integrated with the Pulse One v2.0 management server. 7. DNS Server The DNS Server is used for resolving hostnames. o Conformant with RFC *NOTE* In the evaluated configuration, there may be no other guest VMs on the physical platform providing non-network device functionality. Document Version Pulse Secure, LLC Page 8 of 86

9 1.6 Excluded Functionality The TOE includes the following functionality that may not be enabled or used in the CC evaluated configuration: SNMP Traps External Authentication Servers for administrator authentication DMI Agent DMI Agent Inbound DMI Connection under System Configuration DMI Agent should not be Enabled and Inbound Connection status should show as Disabled. If Inbound DMI connection is Enabled, then need to disable the Inbound checkbox. Document Version Pulse Secure, LLC Page 9 of 86

10 1.6.2 SNMP Traps SNMP Traps under System Log/Monitoring SNMP should not be Enabled. If SNMP Traps is Enabled, then need to disable the SNMP Traps checkbox External Authentication Servers for administrator authentication Under Authentication Auth. Server, other than default Authentication Servers (Administrators and System Local), Administrator should not create any new Authentication Server Type Listed below for administrator authentication: Document Version Pulse Secure, LLC Page 10 of 86

11 1.6.4 [MAG-SM160 and MAG-SM360 only] Chassis Management For only MAG-SM360 and MAG-SM160 Hardware Model, Under Authentication Auth. Server, Administrator will see one more default Auth Server (Chassis Auth Server) of Type Chassis SSO. The Chassis Auth Server is disabled by default. To check Chassis Auth Server is disabled, click on Chassis Auth Server and check there is no Certificate been installed as below: Document Version Pulse Secure, LLC Page 11 of 86

12 If there is any Certificate installed, then Chassis Auth Server is enabled. Administrator needs to delete the Certificate by Clicking Delete to disable the same. Document Version Pulse Secure, LLC Page 12 of 86

13 2. Understanding Pulse Connect Secure/Pulse Policy Secure The following section covers background information that is helpful in understanding the TOE configuration steps in the rest of the document. 2.1 Management Interfaces INTERFACE PORT Virtual Console Internal Port External Port Table Interface Functions FUNCTION Initial system setup Local Area Network connection Remote Administrator console connection and connections to the Internet. Syslog Server: The Syslog traffic will be sent over Management Port if Management Port is enabled. If Management Port is disabled, then syslog traffic will be sent over Internal Port. CRL Server: The CRL traffic will be sent over Internal Port by default. Pulse One: The Pulse One traffic will be sent over via Internal Port by default. 2.2 Authentication Realm An authentication realm specifies the conditions that users must meet in order to sign into the system. A realm consists of a grouping of authentication resources, including: An authentication server verifies that the user is who he claims to be. The system forwards credentials that a user submits on a sign-in page to an authentication server. Eg: Certificate Server A directory server an LDAP server that provides user and group information to the system that the system uses to map users to one or more user roles. This is not applicable for NDcPP Mode. An authentication policy specifies realm security requirements that need to be met before the system submits a user's credentials to an authentication server for verification. This is not evaluated for NDcPP Mode Role mapping rules conditions a user must meet in order for the system to map the user to one or more user roles. These conditions are based on either user information returned by the realm's directory server or the user's username or certificate attributes. Eg: Certificate attribute like CN, Serial Number etc. 2.3 Sign-In Policies Sign-in policies define the URLs that users and administrators use to access the device and the sign-in pages that they see. The system has two types of sign-in policies one for users Document Version Pulse Secure, LLC Page 13 of 86

14 and one for administrators. When configuring sign-in policies, you associate realms, sign-in pages, and URLs. 2.4 User Roles A user role is an entity that defines user session parameters (session settings and options), personalization settings (user interface customization and bookmarks), and enabled access features (Web, file, secure application manager, VPN tunneling, Secure , enterprise onboarding Telnet/SSH, Terminal Services, meeting, access, virtual desktops, HTML5 access, and Pulse Secure client). A user role does not specify resource access control or other resource-based options for an individual request. 2.5 Resources Policies A resource policy is a system rule that specifies resources and actions for a particular access feature. A resource is either a server or file that can be accessed through the system, and an action is to allow or deny a resource or to perform or not perform a function. Each access feature has one or more types of policies, which determine the system s response to a user request or how to enable an access feature. Document Version Pulse Secure, LLC Page 14 of 86

15 3. Commissioning the Virtual 3.1 Physical Installation The physical appliance running the TOE should be setup according to the instructions from the manufacturer of the Virtual s platform. 3.2 Initial Setup *NOTE* In the evaluated configuration, there may be no other guest VMs on the physical platform providing non-network device functionality. Contents of OVF Package(after unzipping) Download the OVF package to a PC from where you would connect to the vcenter Server or ESXi Server Document Version Pulse Secure, LLC Page 15 of 86

16 Connect to vcenter Server or ESXi through vsphere Client or vsphere web client Right click on ESXi Server and click on Deploy OVF Template Document Version Pulse Secure, LLC Page 16 of 86

17 Click on Browse and select the OVF file and/or.vmdk file Select the DC Name Document Version Pulse Secure, LLC Page 17 of 86

18 Select the ESXi Server on which you would like to deploy the VA-SPE Click on Next Document Version Pulse Secure, LLC Page 18 of 86

19 Select the Datastore and click on Next Assign appropriate Destination Network for Internal, External and Management port of VA-SPE Click on Next Document Version Pulse Secure, LLC Page 19 of 86

20 Document Version Pulse Secure, LLC Page 20 of 86

21 Click on Finish Document Version Pulse Secure, LLC Page 21 of 86

22 VA-SPE would be deployed and would show up under the ESXi Server Document Version Pulse Secure, LLC Page 22 of 86

23 Right click on VA-SPE, and click on Power On Document Version Pulse Secure, LLC Page 23 of 86

24 Click on Summary tab and click on Virtual Console Document Version Pulse Secure, LLC Page 24 of 86

25 Progress of installation would get displayed on Virtual Console Document Version Pulse Secure, LLC Page 25 of 86

26 VA-SPE would reboot and come up with Post Installation Here admin can enter the initial configuration parameters for VA-SPE After initial setup the following steps should be followed: 1. Enter y to accept the license terms (or enter r to read the license first). 2. Follow the directions in the console, and enter the machine information for which you are prompted: a. Configure internal port i. IP address ii. Network mask iii. Default gateway address b. Configure DNS i. Primary DNS server address ii. Secondary DNS server address (optional) iii. Default DNS domain name (for example, acmegizmo.com) c. WINS server name or address (optional) i. Enter to go to next step d. Configured network setting is displayed for you to review. Enter y to accept or n to modify. e. Configure administrator i. Administrator username Enter an administrator username. This will create an administrator user account with all of the necessary privileges. This username Document Version Pulse Secure, LLC Page 26 of 86

27 and password will be used thereafter through the web console interface for administrator management functions. ii. Administrator password Must adhere to the password complexity requirements. See <Administrator Passwords> section for password requirements and recommendations. f. Enter information to create a self-signed certificate i. Common machine name (for example, connect.acmegizmo.com) ii. Organization name (for example, Acme Gizmo, Inc.) iii. Enter random text (used for auth certificate) 3.3 Connect Administrator Web Console Administrator Web Console is available after the initial setup through serial console: 1. Launch a web browser from a laptop that is network connected. 2. Point the browser at the same IP address that was assigned to the internal port followed by /admin (for example, 3. When prompted with the security alert to proceed without a signed certificate, click Yes. When the administrator sign-in page appears, you have successfully connected your device to the network. 4. On the sign-in page, enter the administrator username and password you created earlier. Then click Sign In. 5. The Administrator Web Console opens to the System > Status > Overview page. 3.4 Configuring External, Management Interfaces/Ports Configure External Port On Administrator Web Console, 1. Navigate to System Network External Port 2. Click on Enabled 3. Enter IP address, Netmask, and Default Gateway Document Version Pulse Secure, LLC Page 27 of 86

28 4.4.2 Configure Management Port (Optional) On the supported platforms that management port is available, you may also configure management port to use it for communication with syslog server and/or Pulse One. To configure management port, on Administrator Web Console, 1. Navigate to System Network Management Port 2. Click on Enabled 3. Enter IP address, Netmask, and Default Gateway Document Version Pulse Secure, LLC Page 28 of 86

29 3.5 Configuring DNS Server in PCS/PPS On Administrator Web Console, 1. Navigate to System Network Overview 2. Enter IP address for Primary DNS, and DNS Domain 3. Secondary DNS is an optional field 3.6 Sync System Time Once a month, administrator is required to sync the system time by doing the following: 1. Go to System > Status > Overview page. 2. Click on the Edit link next to System Date & Time. 3. On the Date and Time page: a. In the Set Time Manually section, click on Get from Browser button. Document Version Pulse Secure, LLC Page 29 of 86

30 b. Click on Save Changes button 3.7 Software Updates If a new NDcPP compliant software package is available, follow instructions in this section to update the software package on the TOE. The verification of the authenticity of the software package is performed by digital signature verification. 1. Download the TOE software package from Pulse Secure Licensing and Download Center onto a trusted computer system. 2. On Administrator Web Console 3. Navigate to Maintenance -> System -> Upgrade/Downgrade 4. In the expanded Install Server Package section, click on From File option, then click on Browse to select the server package downloaded earlier 5. Click Install to start the installation process Document Version Pulse Secure, LLC Page 30 of 86

31 6. Below information is shown during installation 4. TOE Configuration 4.1 Prerequisites for TOE Configurations You ve configured the TOE follow instructions in Commissioning the. External DNS Server should be able to resolve the hostnames used in the testing External Syslog server is up and running. External CRL is up and running. If you plan to integrate with Pulse One, Pulse One server is up and running. Document Version Pulse Secure, LLC Page 31 of 86

32 4.2 Password Minimum Length Configuration On Administrator Web Console, follow below instruction to set administrator minimum password length to be Set in Admin Realm: a. Navigate to Administrators > Admin Realms b. Click on Admin Users c. Click on Authentication Policy tab d. Click on Password tab e. Click on Only allow users that have passwords of a minimum length f. Enter 15 as Minimum Length 2. Set in local auth server configuration: a. Navigate to Authentication -> Auth. Servers b. Click on Administrators c. On Settings tab, click on Password Options section d. Configure 15 characters as Minimum Length e. Configure Maximum Length greater than or equal to 15 characters set as Minimum Length. 3. Review all previously configured administrator passwords, update to ensure all are at least 15 characters. 4.3 Serial Console Access Control Configuration Configure administrator access control for the local serial console is a two-step process. Step1, Enable allow console access for the administrator. In Administrator Web Console, 1. go to Authentication -> Auth. Servers 2. This screen is shown Document Version Pulse Secure, LLC Page 32 of 86

33 3. Select Administrators 4. Click on Users tab 5. Click on administrator name configured in Initial Setup Document Version Pulse Secure, LLC Page 33 of 86

34 6. Click on Allow console access checkbox 7. Click on Save Changes Step2, Enable password protection for the console. Connect to the local serial console, the serial console menu is shown as below. Choose option 5 on the local serial console. You should see a confirmation: Password protection enabled, make sure you have at least one local administrator. Document Version Pulse Secure, LLC Page 34 of 86

35 4.4 Terminating a Local Console Session To exit a console session, choose option 11 on the local serial console. 4.5 Administrative Banner Configuration Configure administrator banner for the Administrator Web Console and the local serial console is a two-step process. Step1, create a Sign-in notification. On Administrator Web Console: 1. Navigate to Authentication -> Signing In -> Sign-in Notifications Document Version Pulse Secure, LLC Page 35 of 86

36 2. This screen is shown 3. Click on New Notification Document Version Pulse Secure, LLC Page 36 of 86

37 4. Enter a name for the new notification in the Name: 5. In Type:, select Text 6. Enter banner message in the Text: 7. Click on Save Changes Step 2, associate the notification with an admin URL. On Administrator Web Console, 1. Navigate to Authentication -> Signing In -> Sign-In Policies 2. Click on admin URL */admin/ 3. In the Configure SignIn Notifications section, select the check box Pre-Auth Sign-in Notification. Document Version Pulse Secure, LLC Page 37 of 86

38 4. A drop down box appears next to Pre-Auth Sign-in Notification once it is selected, in the drop down box, select the notification you created in Step 1 above. 5. Click on Save Changes 4.6 Configure GUI Inactivity Timeout Period 1. Navigate to Administrators -> Admin Roles -> <Role Name> -> Session Options 2. Under the Session lifetime section, enter the Idle timeout in minutes. To log out of the web administrative session, on any screen click on the Sign Out link at the top right of the screen. 4.7 Terminating a GUI Session To log out of the web administrative session, on any screen click on the Sign Out link at the top right of the screen. 4.8 Import Trusted Client CA Trusted Client CA is required in order to validate the client certificate that is used by the TOE to authenticate to syslog server. On Administrator Web Console, Document Version Pulse Secure, LLC Page 38 of 86

39 1. Navigate to System -> Configuration -> Certificates -> Trusted Client CAs 2. Click Import CA Certificates button to import CA or Chain of CAs one by one as explained below in different Screenshots 3. Click on Import Certificate Document Version Pulse Secure, LLC Page 39 of 86

40 4. The imported trusted client CA is shown in the Trusted Client CAs table 4.9 Import Trusted Server CA Trusted Server CA is used in two situations: To validate the device certificate that is generated for TLS handshake when a TLS client is connecting to the TOE. To validate the server certificate received in TLS handshake when the TOE connects to syslog server and Pulse One. On Administrator Web Console, 1. Navigate to System -> Configuration -> Certificates -> Trusted Server CAs. 2. Click on Import Trusted Server CA 3. On the Import Trusted Server CA screen, click on Browser, import the root CA certificate file. Document Version Pulse Secure, LLC Page 40 of 86

41 Note: In order to import CA Chain, all Sub CAs must be imported one by one. 4. Once CA or CA Chain is Imported, click Done 5. The CA Common Name of the imported trusted server CA should be shown in the Trusted Server CA table on screen System -> Configuration -> Certificates -> Trusted Server CAs. Document Version Pulse Secure, LLC Page 41 of 86

42 Device Certificates Device certificate needs to be configured in order for the TOE to use in TLS handshake when a TLS client connects to the TOE. The TOE supports RSA device certificate and ECC device certificate. Generate RSA or ECC Certificate On Administrator Web Console, 1. Navigate to System -> Configuration -> Certificates -> Device Certificates 2. Click on New CSR 3. Fill in CSR fields: Document Version Pulse Secure, LLC Page 42 of 86

43 Common Name: The fully qualified domain name (FQDN) for your web server. This must be an exact match. Eg: pcs.test.saqacertserv.com Organization Name: The exact legal name of your organisation. Do not abbreviate your organisation name. Eg: Pulse secure india pvt ltd. Org. Unit Name: Section of the organisation, can be left empty if this does not apply to your case. Eg: Engineering Locality: The city where your organisation is legally located. Eg: Bangalore State: The state where your organisation is legally located. Must not be abbreviated. Eg: Karnataka Country: The two-letter ISO abbreviation for your country. Eg: IN Address: The address used to contact your organisation. Eg: Key Type: Public/Private Key Pair Type. To generate RSA device certificate, click on RSA radio button, then select 2048 bits or 3072 bits as Key Length. Optionally, Random Data can be entered for generating Key Pair. To generate ECC device certificate, click on ECC radio button, select P-256 or P-384 as ECC Curve. Optionally, Random Data can be entered for generating Key Pair. See below for ECC device certificate request screenshot: Document Version Pulse Secure, LLC Page 43 of 86

44 4. Click on Create CSR 5. Copy CSR content shown in the text field. Send CSR to Certificate Authority for signing to generate a certificate. 6. Navigate to System -> Configuration -> Certificates -> Device Certificates and click on Pending CSR link in the table at the bottom of the screen. Document Version Pulse Secure, LLC Page 44 of 86

45 7. On the Pending Certificate Signing Request Page, in the expanded Import signed certificate section, click on Browse to select the certificate file. 8. Click on Import 9. The new certificate is shown in System -> Configuration -> Certificates -> Device Certificates Document Version Pulse Secure, LLC Page 45 of 86

46 10. Click on the certificate name that was created 11. The Certificate Details screen is shown, in the expanded Present certificate on these ports section, select <Internal Port> in the left panel that is labelled Internal Virtual Ports, click on Add -> to map it to the new device certificate. If the <Internal Port> is not available in the left panel that is labelled Internal Virtual Ports, then the internal port is already mapped to a different device certificate, please see NOTE on instructions to remove the internal port from the currently mapped device certificate. 12. Click on Save Changes, the selected port in step 11 is shown in the Used by field for the new certificate. Document Version Pulse Secure, LLC Page 46 of 86

47 NOTE: If the internal port is already mapped to a different device certificate, do the following: a. Click the device certificate that is mapped to the internal port and select <Internal Port> from Selected Virtual Ports box Document Version Pulse Secure, LLC Page 47 of 86

48 b. Click on Remove to unmap the device certificate from the Internal port and Save Changes Document Version Pulse Secure, LLC Page 48 of 86

49 Configure Secure Channel to Syslog Server The evaluated configuration uses TLS to protect the communications between the TOE and the external audit storage (syslog) server. To configure the secure channel from the TOE to Syslog Server, the following configuration is required: A trusted server CA needs to be imported into the TOE which is used to authenticate the syslog server. See section Import Trusted Server CA on importing the trusted server CA for communication with syslog server. A RSA 2048/3072 client auth certificate needs to be imported in order to authenticate to the syslog server. See section Import Client Auth Certificate. A trusted client CA must be imported in order to validate the client auth certificate. See section Import Trusted Client CA on instructions to import a trusted client CA. Document Version Pulse Secure, LLC Page 49 of 86

50 If the TLS connection unintentionally broke, TOE automatically reconnects following an exponential increasing timer. The reconnect timer starts at 15 seconds and doubles after each failed reconnect attempt until reaches 15 minutes, and TOE continuously reconnect at 15 minute intervals. Import Client Auth Certificate Following instructions below to import a RSA 2048/3072 Client Auth Certificate into the TOE. On Administrator Web Console, 1. Navigate to System -> Configuration -> Certificates -> Client Auth Certificates 2. Click on Import Certificate & Key 3. Follow instructions on Import Certificate & Key screen to import the client auth certificate 4. The imported certificate should be shown in the table in System -> Configuration -> Certificates -> Client Auth Certificates screen 5. Click on Save Changes. Document Version Pulse Secure, LLC Page 50 of 86

51 4.10 Enable NDcPP Mode On Administrator Web Console, 1. Navigate to System -> Configuration > Security > Inbound SSL Options 2. Click on Turn on NDcPP mode checkbox highlighted to make the TOE common criteria compliant 3. Once Turn on NDcPP mode is enabled, Turn on FIPS mode is also automatically enabled. Document Version Pulse Secure, LLC Page 51 of 86

52 4. Enable Use 2048 bit Diffie-Hellman key exchange checkbox 5. Uncheck SSL Legacy Renegotiation Support option 6. Click on Save Changes 7. At this point, the Turn on NDcPP mode is enabled for both Inbound SSL Options and Outbound SSL Options and the following is shown: a. Accept only TLS1.0 and later and Accept SSL V3 and TLS (maximize compatibility) are disabled in the NDcPP mode. Accept only TLS 1.1 and later is selected by default. b. Custom SSL Cipher Selection Allowed Encryption Strength are automatically selected. Click on Show Selected Ciphers displays below 16 Ciphers in the right panel labelled Selected Cipher. c. Select TLS_DHE_RSA_WITH_AES_128_CBC_SHA and TLS_DHE_RSA_WITH_AES_256_CBC_SHA on the right panel, and click Remove button to remove it from the Selected Ciphers. d. Navigate to System -> Configuration > Security > outbound SSL Options Document Version Pulse Secure, LLC Page 52 of 86

53 e. Custom SSL Cipher Selection Allowed Encryption Strength are automatically selected. Click on Show Selected Ciphers displays below 16 Ciphers in the right panel labelled Selected Cipher. f. Select TLS_DHE_RSA_WITH_AES_128_CBC_SHA and TLS_DHE_RSA_WITH_AES_256_CBC_SHA on the right panel, and click Remove button to remove it from the Selected Ciphers. 8. Optionally, you may check below log to confirm NDcPP mode is enabled: Navigate to System -> Log/Monitoring -> Admin Access -> Logs and Check for the logs mentioned in Audit logs section NDcPP_Mode_Enable. 9. Optionally, you may check below log to confirm that DHE2048 Key Exchange Option is enabled: Navigate to System -> Log/Monitoring -> Admin Access -> Logs and Check for the logs mentioned in section DHE2048_Key_Exchange Enable Configuring Syslog Server Syslog server can to be configured for event log, admin access log and User access log. Configure Syslog Server for Event Log To configure syslog server settings for event logs, navigate to System -> Log/Monitoring -> Events -> Settings. Configure parameters base on below evaluated settings: PCS PARAMETER Maximum Log Size Max Log Size Select Events to Log Connection Requests System Status System Errors Rewrite Statistics Performance License Protocol Events Pulse One Events Reverse Proxy Syslog Servers Table 4-1a Configuration Parameter for Event Log PPS 200 MB (up to 500 MB) SELECTION Enable Enable Enable Enable Enable Enable Disable Enable Enable See Section Configure Syslog Server Parameters Document Version Pulse Secure, LLC Page 53 of 86

54 PARAMETER Maximum Log Size Max Log Size Select Events to Log Connection Requests System Status System Errors Statistics Performance License Protocol Events Pulse One Events Syslog Servers Table 4-2b Configuration Parameter for Event Log SELECTION 200 MB (up to 500 MB) Enable Enable Enable Enable Enable Disable Enable See Section Configure Syslog Server Parameters Configure Syslog Server for Admin Access Log To configure syslog server for admin log, navigate to System -> Log/Monitoring -> Admin Access -> Settings. Select the following settings for the Admin Access logging options in the evaluated configuration: PARAMETER Maximum Log Size Max Log Size Select Events to Log Administrator changes Administrator logins License changes Syslog Servers 200 MB (up to 500 MB) Table 4-3 Configuration Parameter for Admin Access Log SELECTION Enable Enable Enable See Section Configure Syslog Server Parameters Configure Syslog Server for User Access Log To configure syslog server for admin log, navigate to System -> Log/Monitoring -> User Access -> Settings Select the following settings for the Admin Access logging options in the evaluated configuration: PCS PARAMETER Maximum Log Size Max Log Size Select Events to Log Login/logout SAM/Java User Settings 200 MB (up to 500 MB) Enable Disable Enable SELECTION Document Version Pulse Secure, LLC Page 54 of 86

55 PARAMETER SELECTION Meeting Events Disable Client Certificate Enable Active Sync Proxy Disable IF-MAP Client User Disable Messages Pulse Client Messages Disable HTML5 Access Disable Web Requests Enable File Requests Enable Meeting Disable Secure Terminal Enable VPN Tunneling Enable SAML Disable Syslog Servers See Section Configure Syslog Server Parameters Table 4-4a Configuration Parameter for User Access Log PPS PARAMETER Maximum Log Size Max Log Size Select Events to Log Login/logout SAML User Settings IF-MAP Client User Messages Pulse Client Messages Syslog Servers Table 4-5b Configuration Parameter for User Access Log SELECTION 200 MB (up to 500 MB) Enable Disable Enable Disable Disable See Section Configure Syslog Server Parameters Configure Syslog Server Parameters In the Syslog Servers expanded section, enter information as stated in table PARAMETER Server name/ip Facility Type Client Certificate SELECTION Fully qualified domain name or IP address for the syslog server. This should match with the common name of the TLS syslog server certificate. Syslog server facility level (LOCAL0 - LOCAL7). Chose the option that is appropriate based on your syslog configuration. TLS Select the client auth certificate imported in Import Client Auth Certificate to authenticate to the syslog server. Document Version Pulse Secure, LLC Page 55 of 86

56 PARAMETER Filter Standard (Default) Table 4-6 Configuration Parameter for Syslog Server SELECTION By default, the TSF allocates 200 MB to local audit storage; however, the administrator can configure the amount of space allocated to local audit storage, up to 500 MB. The TSF divides the local audit storage between two audit files. When the current audit file reaches capacity; the TSF deletes the inactive log file, creates a new log file, switches logging to the new log file, and generates an audit log indicating that a log file reached capacity. When reached 90% of configured Max Log Size (MB), a log message is audited. The TSF protects audit data from unauthorized modification and deletion though the restrictive administrative interfaces. The filesystem of the TSF is not exposed to the administrative user over the HTTPs GUI or the local CLI. The administrative user must be positively identified and authenticated prior to being allowed to clear the local audit log or change audit settings Removing Cached CRL Entry of CA Chain in PCS Note: To remove cached CRL entry of CA Chain in PCS, follow section 5.15 and Delete CA Chain from Trusted Client CA 1) Go to System > Configuration > Certificates > Trusted Client CAs 2) Select CA Chain one by one and Click Delete Document Version Pulse Secure, LLC Page 56 of 86

57 3) Repeat the Step 2) till all the CA Chain is Deleted 4.14 Delete CA Chain from Trusted Server CA 1) Go to System > Configuration > Certificates > Trusted Server CAs 2) Search CA by its Common Name in Search Bar to List the CA which needs to be deleted 3) Select CA Chain one by one and Click Delete Document Version Pulse Secure, LLC Page 57 of 86

58 4) Repeat the Step 2) and Step 3) till all the CA Chain is Deleted 5. Integrate with Pulse One (Optional) Optionally, the TOE may integrate with Pulse One. The following configuration is required to establish a NDcPP compliant secure connection with Pulse One. There are two steps required in this process: Generate a registration code for the TOE on Pulse One Enter the registration code onto the TOE for it to authenticate to Pulse One Step 1: Generate a registration code for the TOE on Pulse One On Pulse One web console, 1. Click on s to list the Group and s 2. Click on Add 3. Enter the host name of the TOE Document Version Pulse Secure, LLC Page 58 of 86

59 4. Click on Save. Details of Registration Host and Registration Code is shown. The Registration code needs to be entered into the TOE. Step 2: Enter the registration code onto the TOE for it to authenticate to Pulse One On the TOE s Administrator Web Console, 1. Navigate to System -> Configuration -> Pulse One -> Settings, enter the host name of the Pulse One server and the registration code that obtained in Generate_PulseOne_RegCode Document Version Pulse Secure, LLC Page 59 of 86

60 2. Click on Save Changes. This triggers a registration request from the TOE to Pulse One server. This registration may take a few seconds. After Successful Registration, Registration Status and Notification Channel Status indicator should change from Black to Green, Also Client Device Id and Notification URL will be filled with appropriate details. Document Version Pulse Secure, LLC Page 60 of 86

61 Document Version Pulse Secure, LLC Page 61 of 86

62 6 Auditing 6.1 Audit Log Record The Audit log records contain the following information: Severity Log ID Log ID starts with a three-letter prefix, such as SYS, ADM, AUT, ERR and NWC. Depends on the prefix, the log message is stored in one of three log files: o SYS, ERR log message is stored in event log file o ADM log message is stored in admin access log o AUT, NWC log message is stored in user access log Message which includes: o Date/time of the event o Node name o Source IP address o User ID o Realm and Role information o Description of event outcome These fields are laid out as follows: Severity Log ID - year-month-day HH:MM:SS - Node name - [Source IP address] - User ID User Realm User Role Message e.g. In this example, Severity is Info an informational message ID is ADM22668 The ID. This also indicated the type of event in the first 3 letters. Date and time is :23:22 Node name is ive Source IP is User is admindb The Realm is Admin Users Role is.administrators The log message is Login succeeded for admindb/admin Users from via management port. <current timestamp> <node name> <IP Address> <user id> <Realm> <Role> <Log Message> 6.2 Audit Logs System start-up Document Version Pulse Secure, LLC Page 62 of 86

63 6.2.1 System Start-up Event Logs System start-up Info SYS20413 <current timestamp> <node name> <IP Address> <user id> <Realm> <Role> Started system software version <software version> successfully System Shutdown Logs Shutdown through Admin UI Minor ADM20640 <current timestamp> <node name> <IP Address> <user id> <Realm> <Role> Server shutdown requested by admindb/administrators. Successful Shutdown through Console Menu Minor ADM20640 <current timestamp> <node name> <IP Address> <user id> <Realm> <Role> Server shutdown requested by serial/console Device Certificate CRL Addition Admin Logs The log means Device Certificate CRL was added successfully. Info ADM31374 <current timestamp> <node name> <IP Address> <user id> <Realm> <Role> Added CDP <URL> for Device Certificate <certificate> Revoked Device Certificate Events Logs This log is shown when Device certificate was revoked. Minor ERR20921 <current timestamp> <node name> <IP Address> <user id> <Realm> <Role> Closing client connection because connection limit reached. Major SYS31375 <current timestamp> <node name> <IP Address> <user id> <Realm> <Role> Device Certificate <Certificate DN> is revoked. Document Version Pulse Secure, LLC Page 63 of 86

64 6.2.5 NDcPP Mode Enable Configuration Admin Logs Configuration change to enable NDcPP mode on the TOE. Info ADM23434 Info ADM31354 Info ADM30965 Info ADM31273 <current timestamp> <node name> <IP Address> <user id> <Realm> <Role> Allowed SSL and TLS changed from TLSv1 and above to TLS1.1 and above. <current timestamp> <node name> <IP Address> <user id> <Realm> <Role> Changed Allowed Encryption Strength from <ciphersuite> to <ciphersuite>. <current timestamp> <node name> <IP Address> <user id> <Realm> <Role> FIPS mode is now turned on. The web server will restart. <current timestamp> <node name> <IP Address> <user id> <Realm> <Role> NDcPP mode is now turned on. The web server will restart NDcPP Mode Disable Configuration Admin Logs Configuration change to disable NDcPP mode on the TOE. Info ADM31273 <current timestamp> <node name> <IP Address> <user id> <Realm> <Role> NDcPP mode is now turned off. The web server will restart CA CRL Download Events Logs This log describes successful CRL Download from CRL Server for the CA on the TOE. Info SYS23068 <current timestamp> <node name> <IP Address> <user id> <Realm> <Role> Downloaded new CRL (size in bytes) from CA CRL URL DH2048 Key Exchange Enable Configuration Admin Logs Configuration change to enable DH2048 Key Exchange Option on the TOE. Info ADM31287 <current timestamp> <node name> <IP Address> <user id> <Realm> <Role> DHE2048 option is now enabled CA CRL Validation Log for Valid Certificate This log describes certificate passed CRL check. Info AUT30970 <current timestamp> <node name> <IP Address> <user id> <Realm> <Role> The X.509 certificate for <Certificate DN> successfully passed CRL checking Document Version Pulse Secure, LLC Page 64 of 86

65 Info AUT30972 <current timestamp> <node name> <IP Address> <user id> <Realm> <Role> CRL checking started for certificate <Certificate Subject DN> issued by <Issuer Subject DN> CA CRL Check Log for Revoked Certificate This log describes a revoked certificate failed CRL check. Info Info AUT30641 <current timestamp> <node name> <IP Address> <user id> <Realm> <Role> The X.509 certificate for <Certificate DN> issued by <Issuer Subject DN> failed in CRL checking; Status '23'; Detail: 'certificate revoked' AUT30972 <current timestamp> <node name> <IP Address> <user id> <Realm> <Role> CRL checking started for certificate <Certificate Subject DN> issued by <Issuer Subject DN> Successful Logs for Admin Login and Logout Info ADM20668 <current timestamp> <node name> <IP Address> <user id> <Realm> <Role> Login succeeded for <user id> from < IP> via internal port. Info ADM22671 <current timestamp> <node name> <IP Address> <user id> <Realm> <Role> Logout from <IP> Failure Log for Admin Login and Logout Info AUT23458 <current timestamp> <node name> <IP Address> <user id> <Realm> <Role> Login failed using <auth server>. Reason: <fail reason>. Info ADM30685 <current timestamp> <node name> <IP Address> <user id> <Realm> <Role> Primary authentication failed for <user ID> from <IP> Termination (timeout) of administrator session Admin Logs This logs describe termination of an administrator session due to idle session timeout. Info ADM20664 <current timestamp> <node name> <IP Address> <user id> <Realm> <Role> Session timed out for <user name> Users due to inactivity (last access at <date time>. Idle session identified during routine system scan Failure to establish a connection to syslog via TLS User Logs Document Version Pulse Secure, LLC Page 65 of 86

66 Failed validation check for certificate Major SYS31372 <current timestamp> <node name> <IP Address> <user id> <Realm> <Role> Certificate <certificate content> is rejected in NDcPP mode because RSA bit length 1024 is not supported. Failed CRL check for certificate Critical SYS31048 <current timestamp> <node name> <IP Address> <user id> <Realm> <Role> Lost syslog connection to peer: <syslog server name>. Major SYS31375 <current timestamp> <node name> <IP Address> <user id> <Realm> <Role> 'Client Auth Certificate' <certificate content> is revoked Establishment of a TLS connection to syslog server User Logs Info SYS31437 <current timestamp> <node name> <IP Address> <user id> <Realm> <Role> Successful syslog connection peer: <syslog server name> Termination of a TLS connection to syslog server User Logs Connection to syslog server terminated log. Critical SYS31048 <current timestamp> <node name> <IP Address> <user id> <Realm> <Role> Lost syslog connection to peer: <syslog server name> Changes to the time Manual change of time by Admin Info ADM20653 <current timestamp> <node name> <IP Address> <user id> <Realm> <Role> Time adjusted by <#> seconds. Info ADM20647 <current timestamp> <node name> <IP Address> <user id> <Realm> <Role> System date modified to <date>. Document Version Pulse Secure, LLC Page 66 of 86

67 Initiation of update Update Initiated Info ADM31438 <current timestamp> <node name> <IP Address> <user id> <Realm> <Role> - Initializing the system software upgrade process. Update Completed Successfully Info SYS20413 <current timestamp> <node name> <IP Address> <user id> <Realm> <Role> - Started system software version 8.2R9.10 (build 55399) successfully Update Failed Major ADM20715 <current timestamp> <node name> <IP Address> <user id> <Realm> <Role> System software upgrade failed. Major ADM23393 <current timestamp> <node name> <IP Address> <user id> <Realm> <Role> System software upgrade failed. The service package uploaded is the same as the existing package Major ADM23394 <current timestamp> <node name> <IP Address> <user id> <Realm> <Role> System software upgrade failed. Unable to install the selected service package because the version <version 1> of the package is lower than the version <version 2> of the software running in this node and the node is enabled in a cluster configuration. Please disable the cluster node and retry. Major ADM23395 <current timestamp> <node name> <IP Address> <user id> <Realm> <Role> System software upgrade failed. The service package selected to install is older than the currently installed package. Major ADM31317 <current timestamp> <node name> <IP Address> <user id> <Realm> <Role> System software <version> failed. The service package uploaded is not valid. Major ADM24232 <current timestamp> <node name> <IP Address> <user id> <Realm> <Role> System software upgrade failed. Another upgrade was in progress. Major ADM24487 <current timestamp> <node name> <IP Address> <user id> <Realm> <Role> System software upgrade failed. Installation timed out. Major ADM30656 <current timestamp> <node name> <IP Address> <user id> <Realm> <Role> System software upgrade failed. You must provide a package of the same personality. Document Version Pulse Secure, LLC Page 67 of 86

68 Major ADM30480 <current timestamp> <node name> <IP Address> <user id> <Realm> <Role> System software upgrade failed. The service package uploaded is not supported on Virtual s. Virtual s are supported only from software version <version>. System software upgrade failed. The service package uploaded is not supported on Virtual s. Virtual s are supported only from software version <version> Power-On Self-Test Self-Test Completed Successfully Info ADM23434 <current timestamp> <node name> <IP Address> <user id> <Realm> <Role> Allowed SSL and TLS changed from TLSv1 and above to TLS1.1 and above Info ADM24491 <current timestamp> <node name> <IP Address> <user id> <Realm> <Role> Changed custom cipher for Allowed Encryption Strength from <ciphersuites> to <ciphersuites> Info ADM30965 <current timestamp> <node name> <IP Address> <user id> <Realm> <Role> FIPS Mode is now turned on. The web server will restart. Info ADM31273 <current timestamp> <node name> <IP Address> <user id> <Realm> <Role> NDcPP Mode is now turned on. The web server will restart. Info SYS30966 <current timestamp> <node name> <IP Address> <user id> <Realm> <Role> Web server running in FIPS mode Info SYS31256 <current timestamp> <node name> <IP Address> <user id> <Realm> <Role> Starting services: web server Self-Test Failed Due to File Integrity Check Failure Critical SYS31161 <current timestamp> - ive - [ ] System()[] - Failed filesystem integrity check Self-Test Failed Due to Cryptographic Library Tests Failure Critical ERR30967 <current timestamp> - ive - [ ] System()[] Unable to set FIPS mode for web server Warning about low storage space for audit events Document Version Pulse Secure, LLC Page 68 of 86