diff options
Diffstat (limited to 'content/Getting_Started.tex')
| -rw-r--r-- | content/Getting_Started.tex | 116 |
1 files changed, 56 insertions, 60 deletions
diff --git a/content/Getting_Started.tex b/content/Getting_Started.tex index 95cb69d..f842291 100644 --- a/content/Getting_Started.tex +++ b/content/Getting_Started.tex @@ -9,8 +9,8 @@ %\section{test} %\addcontentsline{toc}{section}{test......} -The following topics provide system overview and detailed steps to help you logging into Tiangou Secure Gateway (TSG). -Then it goes on to elaborate how to set up a basic security policy and a basic proxy policy. +The following topics provide a system overview and detailed steps to help you logging into Tiangou Secure Gateway (TSG). +Then it goes on to elaborate on how to set up a basic security policy and a basic proxy policy. Administrators can configure, manage, and monitor Tiangou Secure Gateway using the web interface, CLI, and TSG Integration API. { @@ -36,7 +36,7 @@ Administrators can configure, manage, and monitor Tiangou Secure Gateway using t \addcontentsline{toc}{subsection}{Purpose} \label{sec:intro:overview:purpose} -The Tiangou Secure Gateway (TSG) can be used for any purpose where keeping track of the traffic flowing in a network is useful. +The Tiangou Secure Gateway (TSG) can be used for any purpose where keeping track of the traffic flowing in a network is helpful. The following are examples of such purposes:\\ @@ -54,19 +54,19 @@ The following are examples of such purposes:\\ Tiangou Secure Gateway (TSG) is a scalable traffic management product for all types of network environments. TSG performs deep packet and flow inspection on Internet Protocol (IP) packets, and classifies their content using stream-based analysis engine. TSG Firewalls are devices or programs that control the flow of network traffic between networks or hosts that employ differing security postures. -TSG firewall uses a network stack to process the packet, like the OSI model. When a network packet passes through, it will be parsed and resembled to a network session. +TSG firewall uses a network stack to process the packet, like the OSI model. When a network packet passes through, it will be parsed and reassembled to a network session. And the reassembled network session is decoded to identify the embedded content. Tiangou Secure Gateway’s Proxy module enables authorities to perform layer 4-7 advanced manipulation of application and user traffic for interception. -The Proxy is deployed in transparent mode; thus, no proxy settings on browser side. +The Proxy is deployed in transparent mode; thus, no proxy settings on the browser side. TSG enables service providers and organizations to gain insight into their network and control traffic in high-performance environments, such as large data centers and high-bandwidth network perimeters. TSG allows content visibility of HTTP, DNS, MAIL, FTP, SSL and SIP. -TSG identifies and controls applications as well as evasive tools blocking. The TSG is able to modify HTTP sessions, as well as override redirect request, +TSG identifies and controls applications as well as evasive tools blocking. The TSG can modify HTTP sessions, override redirect request, modify headers, inject scripts, replace texts and respond with an uploaded file. -The TSG has an SSL Proxy allows all decrypted traffic to be mirrored to a third-party system for additional analysis. +The TSG has an SSL Proxy that allows all decrypted traffic to be mirrored to a third-party system for additional analysis. %\pdfbookmark[2]{Who is this Guide for?}{Who is this Guide for?} @@ -97,8 +97,8 @@ However, the best practice is to install the latest version. \begin{description} - \item[STEP 1.]Using a browser, open the home page of the system, for example, (http://<IP address>). You can use the IPv4 or IPv6 address. - \item[STEP 2.]Enter your username and password defined for the TSG, select your own \textbf{Language} and set the \textbf{Authentication Mode} to \textbf{LOCAL}, then click \textbf{Login}. + \item[STEP 1.]Using a browser, open the system's home page, for example, (http://<IP address>). You can use the IPv4 or IPv6 address. + \item[STEP 2.]Enter your username and password defined for the TSG, select your \textbf{Language} and set the \textbf{Authentication Mode} to \textbf{LOCAL}, then click \textbf{Login}. \item[STEP 3.]You can see your User Name at the top right of the web interface. Click it and you can change the language settings to English, Chinese or Russian. You can also Sign Out from here. \end{description} @@ -136,8 +136,8 @@ To configure current account preference, you can click \textbf{My Account} in th To prevent unauthorized users from gaining access to an account with nothing more than a stolen password. -TSG users can enable Two-Factor authentication strengthen the security of an account. -Two-factor authentication is a combination of two of the following: your password and a text with a code sent to your smartphone or other device. +TSG users can enable Two-Factor authentication to strengthen the security of an admin account. +Two-factor authentication is a combination of two of the following: your password and a text with a code from your smartphone application. It is recommended to use cloud-based mobile authenticator apps such as GOOGLE Authenticator, Microsoft Authenticator. @@ -147,7 +147,7 @@ It is recommended to use cloud-based mobile authenticator apps such as GOOGLE Au \label{sec:intro:logging:restrictions} TSG restricts administrator logins to improve system security. An IP address will be Lockout after maximum login attempts. -And you can specify limited IP addresses to be able to login the system. Configure Login Restrictions by the following procedure: +And you can specify limited IP addresses to be able to log in to the system. Configure Login Restrictions by the following procedure: \begin{description} @@ -155,7 +155,7 @@ And you can specify limited IP addresses to be able to login the system. Configu \item[STEP 2.]If you wish to set the IP addresses that are allowed to log in, enable \textbf{Set to allow login IP}. By default, it is off, and all IP addresses are allowed to log in. Once enabled, up to 256 IPv4 CIDRs can be configured. For example, 192.168.0.1/32, 192.168.1.1/24. \item[STEP 3.](\textcolor{gold}{Optional})Add \textbf{IP} addresses if you enabled Set to allow login IP. - \item[STEP 4.]Configure \textbf{Maximum Login Attempts}, if the number of attempts reaches the limit, the client IP will be locked. + \item[STEP 4.]Configure \textbf{Maximum Login Attempts}. If the number of attempts reaches the limit, the client IP will be locked. \item[STEP 5.]Specify \textbf{Lockout Time}. Within the lockout time period, this client IP cannot log into the system even with the correct user name and password. \item[STEP 6.]Click \textbf{OK}. \end{description} @@ -165,7 +165,7 @@ And you can specify limited IP addresses to be able to login the system. Configu \addcontentsline{toc}{section}{Set Up a Basic Security Policy} \label{sec:intro:security} -Use the following workflow set up a very basic Security policy. This gives you a brief idea of policies so that you can verify that you have successfully configured TSG. +Use the following workflow to set up a basic Security policy. This gives you a brief idea of policies to verify that you have successfully configured TSG. \begin{description} \item[STEP 1.] Launch the Web Interface. @@ -188,7 +188,9 @@ Use the following workflow set up a very basic Security policy. This gives you a \item Verify that Enabled is enabled. \item Click \textbf{OK}. \end{enumerate} - \item[STEP 2.] (\textcolor{gold}{Optional})To verify that you have set up your basic policies effectively, test whether your Security policy rules are being evaluated and determine which Security policy rule applies to a traffic flow. For example, to verify the policy rule that will be applied for a client with the IP address 192.168.0.1 when it sends a HTTP request to the 172.16.0.1 server: + \item[STEP 2.] (\textcolor{gold}{Optional})To verify that you have set up your basic policies effectively, test whether your Security policy rules are being evaluated + and determine which rule applies to a traffic flow. For example, to verify the policy rule that will be applied for a client with the IP address 192.168.0.1 + when it sends a HTTP request to the 172.16.0.1 server: \begin{enumerate} \item Select \textbf{System} > \textbf{Trouble Shooting} > \textbf{Policy Verify}. \item Select \textbf{Security Policy Match} from the \textbf{Select Test} drop-down. @@ -197,13 +199,13 @@ Use the following workflow set up a very basic Security policy. This gives you a \item Select the \textbf{Protocol} and \textbf{APP ID} from the drop-down. \item Click \textbf{Verify} to execute the \textbf{Security policy match} test. \end{enumerate} - \item[STEP 3.] After the policy has been hit, view Logs to monitor the policy rule status and determine the effectiveness of the policy rule. + \item[STEP 3.] After the policy has been matched, view Logs to monitor the policy rule status and determine the effectiveness. Select \textbf{Logs} > \textbf{Security Events} and view relative information about the policy. \end{description} -\notemark\textit{When you are creating or editing policies and objects, click the sidebar menu will not navigate you to the corresponding page. -A prompt window will appear to remind you that changes you made are not saved.} +\notemark\textit{When creating or editing policies and objects, click the sidebar menu will not navigate you to the corresponding page. +A prompt window will appear to remind you that the changes you made are not saved.} %\pdfbookmark[1]{Set Up a Basic Proxy Policy}{Set Up a Basic Proxy Policy} @@ -211,7 +213,7 @@ A prompt window will appear to remind you that changes you made are not saved.} \addcontentsline{toc}{section}{Set Up a Basic Proxy Policy} \label{sec:intro:proxy} -Security Policies with Intercept actions intercept HTTP/HTTPS traffic for proxy, which is a prerequisite for proxy policy. +Security Policies with Intercept actions intercept HTTP/HTTPS traffic for proxy, it's a prerequisite for proxy policy. You can perform the following to set up a basic proxy policy. \\ @@ -256,12 +258,12 @@ You can perform the following to set up a basic proxy policy. \\ You can use the TSG Command Line Interface (CLI) to perform a series of tasks by entering commands in rapid succession over SSH. The TSG CLI is a TSG specific command shell. By leveraging industry-standard tools and utilities, the CLI provides a set of commands that you can use to monitor and configure TSG devices. -TSG CLI supports two types of command, TSG specified commands and Linux-like system operational commands. -TSG specified commands help control policy and object, configure and check devices status. The commands related with policy and object control work on all TSG devices cluster. -The other CLI commands only work on local device. When you become familiar with the nesting structure and syntax of the commands, the CLI provides quick response times and administrative efficiency. +TSG CLI supports two types of commands, TSG specified commands and Linux-like system operational commands. +TSG specified commands help control policy and object, configure and check devices status. The commands related to policy and object control work on all TSG cluster. +The other CLI commands only work on local devices. When you become familiar with the nesting structure and syntax of the commands, the CLI provides quick response times and administrative efficiency. -For more details, please view \textcolor{darkblue}{\textbf{\underline{TSG CLI User Guide}}}. +For more details, please view the \textcolor{darkblue}{\textbf{\underline{TSG CLI User Guide}}}. %\pdfbookmark[1]{TSG Integration API}{TSG Integration API} \section*{\hypertarget{link:TSG Integration API}{TSG Integration API}} @@ -321,7 +323,7 @@ To restrict system access to authorized users, TSG provides role-based access co and users are made members of appropriate roles, thereby acquiring the roles' permissions. This leads to “user-role-permission” authorization model. In TSG system, the relationship between users and roles is one-to-one, and the relationship between roles and functional permissions is one-to-many. That is, a user can only have one role, and a role can be assigned multi-level permissions to different features. For each feature, there are three permission levels: Enable, Read Only and Disable. -When the user has Read Only permission to a feature which normally is related with certain menu, the user cannot click Create, Edit, Delete, Enable and Disable button +When the user has Read Only permission to a feature that normally is related to a certain menu, the user cannot click the Create, Edit, Delete, Enable and Disable button and the detail pages of Policies and Objects are locked. @@ -338,28 +340,25 @@ Perform the following steps to add a LOCAL administrative account on TSG.\\ \begin{description} \item[STEP 1.] Select \textbf{Administration} > \textbf{Admins}, select tab Users and click \textbf{Create}. \item[STEP 2.] Enter a \textbf{Name} to identify the account. - \item[STEP 3.] Enter your \textbf{User Name} which is the login name and \textbf{Password}. + \item[STEP 3.] Enter your \textbf{User Name}, which is the login name and \textbf{Password}. \item[STEP 4.] Please \textbf{Confirm Password}. \item[STEP 5.] If you enable \textbf{Required Password Change}, fill in the \textbf{Required Password Change Period}. - A message will show up when you login after the period expires to enforce you to change to a new password. + A message will show up when you log in after the period expires to force you to change to a new password. \item[STEP 6.] Verify that the account is \textbf{Enabled}. - \item[STEP 7.] Select \textbf{Role} from dropdown list. Each account must and can only have one role, which defines different user permissions. + \item[STEP 7.] Select \textbf{Role} from the dropdown list. Each account must and can only have one role, which defines different user permissions. For details, see \hyperlink{link:Roles and Permissions}{\textcolor{linkblue}{Roles and Permissions}}. \item[STEP 8.] Click \textbf{OK}. - \item[STEP 9.] (\textcolor{gold}{Optional})To verify that you have add a TSG account effectively, you can \textbf{Sign Out} and log into the system with the new account. + \item[STEP 9.] (\textcolor{gold}{Optional})To verify that you have added a TSG account effectively, you can \textbf{Sign Out} and log into the system with the new account. Select \textbf{System Logs} > \textbf{Login Log} and you can view your login information. \end{description} If compliance, audit, or security requirements stipulate that the default administrative account must be removed from your devices, -you can remove it after you create at least one other superuser administrative account. -You cannot remove the default administrative account until you configure at least one other superuser administrative account on the device. +you can block it after you create at least one other superuser administrative account. +You cannot block the default administrative account until you configure at least one other superuser administrative account on the device. Perform the following steps to delete an account on TSG.\\ \begin{description} - \item[STEP 1.] Select tab Users of \textbf{Administration} > \textbf{Admins} and find the item you want to delete in the list. - \item[STEP 2.] Click \textbf{Delete} at the top left. Click \textbf{Delete} to confirm. + \item[STEP 1.] Select tab Users of \textbf{Administration} > \textbf{Admins} and find the item you want to disable in the list. + \item[STEP 2.] Disable the account by turn off the \textbf{Enable} switch. \end{description} -If you wish to temporarily disable an account, you can search it by User Name or Name at the top right search box. -Then click the switch under \textbf{Enable}. Please make sure your account is assigned the proper role with proper permission before you do \textbf{Delete} or \textbf{Enable}. -See \hyperlink{link:Roles and Permissions}{\textcolor{linkblue}{Roles and Permissions}} to find more details. \notemark\textit{And TSG supports 100 concurrent users at present.} @@ -374,8 +373,8 @@ There are two predefined roles in TSG, including:\\ • superreader: read only permissions to all features. -\notemark\textit{If a user’s role permissions enable TSG feature "Administrator-Users-Users" and at least include "Administrator-Users-Roles" Read Only access, -the user can create new users, and modify other users’ role permissions. This ability can affect the access rights of all users, please authorize with caution.} +\notemark\textit{Suppose a user’s role permissions enable TSG feature "Administrator-Users-Users" and at least include "Administrator-Users-Roles" Read Only access. In that case, +the user can create new users, and modify other users’ role permissions. This ability can affect the access rights of all users. Please authorize with caution.} Perform the following to create a new role: @@ -390,7 +389,7 @@ Perform the following to create a new role: \end{description} -\notemark\textit{It is recommended to configure the same access permission for Policies, Objects and System menu, because their data are related. +\notemark\textit{It is recommended to configure the same access permission for the Policies, Objects and System menu, because their data are related. Make sure Devices are enabled before you enable Dashboard, because Devices affects the reading of data for device module in Dashboard.} @@ -399,7 +398,7 @@ Make sure Devices are enabled before you enable Dashboard, because Devices affec \addcontentsline{toc}{subsection}{Enroll LDAP Servers} \label{sec:intro:admin:ldap} -Configuring TSG to connect to a LDAP server enables you to login in LDAP Authentication Mode with LDAP account. Perform the following steps to add a LDAP server on TSG. +Configuring TSG to connect to an LDAP server enables you to login in LDAP Authentication Mode with LDAP account. Perform the following steps to add a LDAP server on TSG. \begin{description} @@ -407,21 +406,21 @@ Configuring TSG to connect to a LDAP server enables you to login in LDAP Authent \item[STEP 2.] Define a \textbf{Name} to specify the LDAP server. \item[STEP 3.] Enter your \textbf{Host} and \textbf{Port} of the LDAP server. \item[STEP 4.] Enter your \textbf{User Name}, which is the administrative user of LDAP server, and \textbf{User Mapper} which specifies the hierarchy of LDAP user. - \item[STEP 5.] Enter the \textbf{Password} of user in STEP 4. Verify that \textbf{Enabled} is on. + \item[STEP 5.] Enter the \textbf{Password} of the user in STEP 4. Verify that \textbf{Enabled} is on. \item[STEP 6.] \textbf{Test Connection}. After success, click \textbf{OK}. - \item[STEP 7.] (\textcolor{gold}{Optional})To verify that you have add a LDAP server effectively, you can view related information on the \textbf{LDAP Server} list page. + \item[STEP 7.] (\textcolor{gold}{Optional})To verify that you have added an LDAP server effectively, you can view related information on the \textbf{LDAP Server} list page. \end{description} -After setting LDAP server, you can login using the LDAP accounts of enrolled LDAP server. -After a LDAP account login TSG first time, the LDAP accounts will show on the tab \textbf{Admins} of \textbf{Administration} > \textbf{Admins}. -The column Source indicates the type of account which is shown as LDAP for LDAP account. +After setting LDAP server, you can log in using the LDAP accounts of the enrolled LDAP server. +After an LDAP account login TSG first time, the LDAP accounts will show on the tab \textbf{Admins} of \textbf{Administration} > \textbf{Admins}. +The column Source indicates the type of account which is shown as LDAP for the LDAP account. The column User name includes the full path for LDAP user, and the value of “uid” is the actual login username on TSG. -When logging into TSG system for the first time with LDAP user, TSG system will assign the user the role supperreader by default. -If the LDAP user requires other role permissions, you need to login by other users who have permission to modify a user’s role to modify it. +When logging into the TSG system for the first time with LDAP user, the TSG system will assign the user the role supperreader by default. +If the LDAP user requires other role permissions, you need to log in by other users who have permission to modify a user’s role to modify it. -In \textbf{Server Profiles} > \textbf{LDAP Server} page, you can view the LDAP Server list. Operator displays who has modified the item, and it can be a LOCAL or LDAP account. +On the \textbf{Server Profiles} > \textbf{LDAP Server} page, you can view the LDAP Server list. Operator displays who has modified the item, and it can be a LOCAL or LDAP account. Select the item you wish to change in the list and click \textbf{Edit} to modify LDAP server information. You can delete or disable the LDAP server and after that you will not be able to log into the system with the LDAP account. @@ -430,9 +429,9 @@ You can delete or disable the LDAP server and after that you will not be able to \addcontentsline{toc}{subsection}{Audit Log} \label{sec:intro:admin:audit} -If you perform an operation which influence the running of TSG, TSG will generate a log about this action. -For example, Audit Log will record the operations of adding or deleting or updating an object or policy, or clearing traffic logs, etc. -You can view \textbf{System Logs} > \textbf{Audit Log} to see details. You can query audit logs within certain time range by ID, Source IP or Target Type. +If you perform an operation that influence the running of TSG, TSG will generate a log about this action. +For example, the Audit Log will record the operations of adding or deleting or updating an object or policy, or clearing traffic logs storage, etc. +You can view \textbf{System Logs} > \textbf{Audit Log} to see details. You can query audit logs within specific time range by ID, Source IP or Target Type. Audit logs can be exported as trace evidence. And when you are editing a policy or an object, you will find a link to audit log about this policy or object. %\pdfbookmark[2]{Mail Server}{Mail Server} @@ -440,20 +439,17 @@ Audit logs can be exported as trace evidence. And when you are editing a policy \addcontentsline{toc}{subsection}{Mail Server} \label{sec:intro:admin:mail} -Configure Mail Server to send mail alerts, which is currently used to send reports. Perform the following to create a Mail server profile: +Configure Mail Server to send mail alerts, which is used to send reports. Perform the following to create a Mail server profile: \begin{description} - \item[STEP 1.] If you perform an operation which influence the running of TSG, TSG will generate a log about this action. - For example, Audit Log will record the operations of adding or deleting or updating an object or policy, or clearing traffic logs. - You can view \textbf{Administration} > \textbf{Audit Logs} to see details. - \item[STEP 2.] Select \textbf{Server Profiles} > \textbf{EMail Servers}. - \item[STEP 3.] For Simple Mail Transport Protocol (SMTP) server (email server), Add a \textbf{Server} and \textbf{Port}. - \item[STEP 4.] Enable \textbf{Need Authentication}. - \item[STEP 5.] Define a \textbf{Name} to identify the SMTP server (1-32characters). This field is just a label and doesn’t have to be the hostname of an existing email server. + \item[STEP 1.] Select \textbf{Server Profiles} > \textbf{EMail Servers}. + \item[STEP 2.] For Simple Mail Transport Protocol (SMTP) server (email server), Add a \textbf{Server} and \textbf{Port}. + \item[STEP 3.] Enable \textbf{Need Authentication}. + \item[STEP 4.] Define a \textbf{Name} to identify the SMTP server (1-32characters). This field is just a label and doesn’t have to be the hostname of an existing email server. Define \textbf{E-mail}, the name to show in the \textbf{From} field of the email. - \item[STEP 6.] Enable \textbf{SSL}. - \item[STEP 7.] Click \textbf{OK} to save the Email server profile. + \item[STEP 5.] Enable \textbf{SSL}. + \item[STEP 6.] Click \textbf{OK} to save the Email server profile. \end{description} |