56

GlobeSurfer

®

II 1.8 - 7.2 - 7.2 S

REFERENCE MANUAL

Figure 5.87 New Port Triggering Rule

You can disable a port triggering rule without having to remove it from the ‘Port Triggering’ screen.

•

To temporarily disable a rule, clear the check box next to the service name.

•

To reinstate it at a later time, simply reselect the check box.

•

To remove a rule, click the Remove action icon for the service. The service will be permanently removed. There may be a

few default port triggering rules listed when you first access the port triggering screen. Please note that disabling these

rules may result in impaired gateway functionality.

5.3.6

Website restrictions

You may configure GlobeSurfer

®

II to block specific Internet websites so that they cannot be accessed from computers in the

home network. Moreover, restrictions can be applied to a comprehensive and automaticallyupdated table of sites to which

access is not recommended.

To block access to a website:

1.

Click the ‘Website Restrictions’ tab in the ‘Security’ management screen (see Figure 5.88).

Figure 5.88 Website restrictions

2.

Click the ‘New Entry’ link. The ‘Restricted Website’ screen will appear (see Figure 5.89).

57

GlobeSurfer

®

II 1.8 - 7.2 - 7.2 S

REFERENCE MANUAL

Figure 5.89 restricted Website

3.

Enter the website address (IP address or URL) that you would like to make inaccessible from your home network (all Web

pages within the site will also be blocked). If the website address has multiple IP addresses, GlobeSurfer

®

II will resolve all

additional addresses and automatically add them to the restrictions table.

4.

The Local Host combo box provides you the ability to specify the computer or group of computers for which you would like

to apply the website restriction.

You can select between any or a specific computer address in your LAN. If you choose the User Defined’ option, the screen

will refresh, and you will be redirected to the ‘Edit network object’ page. To learn more about network objects, see chapter

6.6.8.

5.

The Schedule combo-box allows you to define the time period during which this rule will take effect. By default, the rule

will always be active. However, you can configure scheduler rules by selecting ‘User Defined’. To learn how to configure

scheduler rules please refer to section 6.6.4.

6.

Click ‘OK’ to save the settings.You will be returned to the previous screen while GlobeSurfer

®

II attempts to find the site.

‘Resolving. . . ‘ will appear in the Status column while the site is being located (the URL is ‘resolved’ into one or more IP

addresses).

7.

Click the ‘Refresh’ button to update the status if necessary. If the site is successfully located then ‘Resolved’ will appear

in the status bar, otherwise ‘Hostname Resolution Failed’ will appear. In case GlobeSurfer

®

II fails to locate the website, do

the following:

a.

Use a Web browser to verify that the website is available. If it is, then you probably entered the website address

incorrectly.

b.

If the website is not available, return to the ‘Website Restrictions’ screen at a later time and click the ‘Resolve Now’

button to verify that the website can be found and blocked by GlobeSurfer

®

II.

You may edit the website restriction by modifying its entry under the ‘Local Host’ column in the ‘Website Restrictions’ screen.

To modify an entry:

1.

Click the Edit action icon for the restriction. The ‘Restricted Website’ screen will appear (see Figure 5.89). Modify the

website address, group or schedule as necessary.

2.

Click the ‘OK’ button to save your changes and return to the ‘Website Restrictions’ screen.

To ensure that all current IP addresses corresponding to the restricted websites are blocked:

1.

Click the ‘Resolve Now’ button. GlobeSurfer

®

II will check each of the restricted website addresses and ensure that all IP

addresses at which this website can be found are included in the IP addresses column.

You can disable a restriction in order to make a website available again without having to remove it from the ‘Website

Restrictions’ screen. This may be useful if you wish to make the website available only temporarily and expect that you will

want to block it again in the future.

•

To temporarily disable a rule, clear the check box next to the service name.

58

GlobeSurfer

®

II 1.8 - 7.2 - 7.2 S

REFERENCE MANUAL

•

To reinstate it at a later time, simply reselect the check box.

•

To remove a rule, click the Remove action icon for the service. The service will be permanently removed.

5.3.7

Advanced filtering

Advanced filtering is designed to allow comprehensive control over the firewall’s behavior. You can define specific input and

output rules, control the order of logically similar sets of rules and make a distinction between rules that apply to WAN and

LAN devices.

To view GlobeSurfer

®

II’s advanced filtering options, click the ‘Advanced Filtering’ tab in the ‘Security’ management screen.

The ‘Advanced Filtering’ screen will appear (see Figure 5.90).

Figure 5.90 Advanced Filtering

This screen is divided into two identical sections, one for ‘Input Rule Sets’ and the other for ‘Output Rule Sets’, which are for

configuring inbound and outbound traffic, respectively. Each section is comprised of subsets, which can be grouped into three

main subjects:

•

Initial rules - rules defined here will be applied first, on all gateway devices.

•

Network devices rules - rules can be defined per each gateway device.

•

Final rules - rules defined here will be applied last, on all gateway devices.

Note:

The order of the firewall rules’ appearance in the ‘Advanced Filtering’ screen represents the sequence by which they will

be applied.

There are numerous rules automatically inserted by the firewall in order to provide improved security and block harmful

attacks.

To configure an advanced filtering rule:

1.

After choosing the traffic direction and the device on which to set the rule, click the appropriate New Entry link. The ‘Add

Advanced Filter’ screen will appear (see Figure 5.91).

59

GlobeSurfer

®

II 1.8 - 7.2 - 7.2 S

REFERENCE MANUAL

Figure 5.91 Add Advanced Filtering

Matching

To apply a rule, a matching must be made between IP addresses, and a traffic protocol must be defined:

•

‘Source Address’

The source address of the packets sent to or received from the network object (computer A in the

above example). To add an address:

a.

Select the ‘User Defined’ option in the combo box. The screen will refresh and you will be directed to the ‘Edit

Network Object’ page.

b.

Use the ‘Edit Network Object’ page to define your address. Please refer to section 6.6.8 in order to learn how to do so.

•

‘Destination Address’

The destination address of the packets sent to or received from the network object. This address

can be configured in the same manner as the source address.

•

‘Protocol’

You may choose a specific traffic protocol from the combo box, or add a new one. To add a new traffic protocol:

a.

Select the ‘User Defined’ option in the combo box. The screen will refresh and you will be directed to the ‘Edit

Service’ page.

b.

Use the ‘Edit Service’ page to define your protocol. Please refer to section 6.6.15 in order to learn how to do so.

‘Operation’

Define what action the rule will take, by selecting one of the following radio buttons:

•

‘DROP’

Deny access to packets that match the source and destination IP addresses and service ports defined in

‘Matching’.

•

‘REJECT’

Deny access to packets that match the source and destination IP addresses and service ports defined in

‘Matching’ and sends and sends an ICMP error or a TCP reset to the origination peer.

•

‘ACCEPT’

Allow access to packets that match the source and destination IP addresses and service ports defined in

‘Matching’. The data transfer session will be handled using Stateful Packet Inspection (SPI).

•

‘ACCEPT PACKET’

Allow access to packets that match the source and destination IP addresses and service ports defined

in ‘Matching’. The data transfer session will not be handled using Stateful Packet Inspection (SPI), meaning that other

packets that match this rule will not be automatically allowed access. For example, this can useful when creating rules that

allow broadcasting.

60

GlobeSurfer

®

II 1.8 - 7.2 - 7.2 S

REFERENCE MANUAL

‘Logging’

Monitor the rule:

•

‘Log Packets Matched by This Rule’

Check this check box to log the first packet from a connection that was matched by

this rule.

‘Schedule’ By default, the rule will always be active. However, you can configure scheduler rules in order to define time

segments during which the rule may be active. To learn how to configure scheduler rules please refer to section 6.6.4.

2.

Click ‘OK’ to save the settings.

5.3.8

Security log

The Security Log displays a list of firewall-related events, including attempts to establish inbound and outbound connections,

attempts to authenticate through an administrative interface (Web-based management or Telnet terminal), firewall

configuration and system start-up.

To view the security log, click the ‘Security Log’ tab in the ‘Security’ management screen. The ‘Security Log’ screen will appear

(see Figure 5.92).

Figure 5.92 Security Log

‘Time’

The time the event occurred.

‘Event’

There are five kinds of events:

•

Inbound Traffic: The event is a result of an incoming packet.

•

Outbound Traffic: The event is a result of outgoing packet.

•

Firewall Setup: Configuration message.

•

WBM Login: Indicates that a user has logged in to WBM.

•

CLI Login: Indicates that a user has logged in to CLI (via Telnet).