From 2aa06bf2d20e6b03ad8ceeb5e20fb5ccb99279c1 Mon Sep 17 00:00:00 2001 From: 蒋维 Date: Thu, 15 Jul 2021 16:32:47 +0800 Subject: 21.07修订 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- Guide_Setup.tex | 6 +- TSG_Administrator's_Guide_Latest_EN.pdf | Bin 694826 -> 711643 bytes content/Advanced_Setting.tex | 14 +- content/Appendix_Built-in_Category.tex | 2 +- content/Appendix_Log_Fields_Description.tex | 20 ++ content/Appendix_Predefined_Applications.tex | 1 + content/Decryption.tex | 30 +-- content/Getting_Started.tex | 59 ++++-- content/Monitoring.tex | 269 ++++++++++++++++++++++++++- content/Objects.tex | 31 ++- content/Policies.tex | 133 ++++++++++++- 11 files changed, 502 insertions(+), 63 deletions(-) diff --git a/Guide_Setup.tex b/Guide_Setup.tex index 7424241..85fb1a2 100644 --- a/Guide_Setup.tex +++ b/Guide_Setup.tex @@ -12,10 +12,10 @@ % Information and Commands for Reuse % ************************************************** \newcommand{\thesisTitle}{TSG Administrator’s Guide} -\newcommand{\thesisName}{JW} +\newcommand{\thesisName}{Geedge Team} \newcommand{\thesisSubject}{Documentation} -\newcommand{\thesisDate}{April 15, 2021} -\newcommand{\thesisVersion}{21.03} +\newcommand{\thesisDate}{July 21, 2021} +\newcommand{\thesisVersion}{21.07} %下面的新命令暂时没有用。 \newcommand{\thesisFirstReviewer}{Jane Doe} diff --git a/TSG_Administrator's_Guide_Latest_EN.pdf b/TSG_Administrator's_Guide_Latest_EN.pdf index 33f09fe..5ebeae2 100644 Binary files a/TSG_Administrator's_Guide_Latest_EN.pdf and b/TSG_Administrator's_Guide_Latest_EN.pdf differ diff --git a/content/Advanced_Setting.tex b/content/Advanced_Setting.tex index c5d6dd8..1ca2e1f 100644 --- a/content/Advanced_Setting.tex +++ b/content/Advanced_Setting.tex @@ -11,6 +11,7 @@ This section contains information about configuring TSG advanced features, inclu \color{linkblue} \hyperlink{link:Proxy TCP Options}{> Proxy TCP Options} \\ \hyperlink{link:System Usage }{> System Usage } \\ +\hyperlink{link:System Appearance }{> System Appearance } \\ } \clearpage @@ -22,7 +23,7 @@ This section contains information about configuring TSG advanced features, inclu TSG provides TCP default option which keeps the Enable TCP Passthrough and Bypass Duplicated Packet off. However, you can Create your own Proxy TCP Options for special situations. Under certain boundary conditions of network transmission, some network parameters need to be renegotiated during network transmission, such as MTU. The network equipment will renegotiate network parameters through some mechanisms, and the negotiation process may not under precise monitor of TSG. And it may affect related policies. In this case, the affected network parameters need to be preset through the PROXY TCP OPTION. \begin{description} - \item[STEP 1.] Select \textbf{Settings} > \textbf{Advanced} > \textbf{Proxy TCP Options}, and click \textbf{Create}. + \item[STEP 1.] Select \textbf{Profiles} > \textbf{Proxy} > \textbf{Proxy TCP Options}, and click \textbf{Create}. \item[STEP 2.] Specify Proxy TCP Options name and effective scope. \begin{enumerate} \item Enter a descriptive \textbf{Name}. @@ -101,10 +102,17 @@ In this scenario, the storage space for Files is generally smaller than 150\% of To configure Storage Usage and expiration period: \begin{description} - \item[STEP 1.] Select \textbf{Settings} > \textbf{Advanced} > \textbf{System Usage}. It displays Storage Usage percentage for Reports and Metrics, Files and Traffic Logs. You can view History Log Storage by time. + \item[STEP 1.] Select \textbf{System} > \textbf{System Usage}. It displays Storage Usage percentage for Reports and Metrics, Files and Traffic Logs. You can view History Log Storage by time. \warnmark\textit{Warning: Please take caution when performing STEP 2 and STEP 3, because this operation is not recoverable.} \item[STEP 2.] (\textcolor{gold}{Optional})Click \textbf{Setting}. Check \CheckedBox I understand the risks. Enter the Max Days for each type and Click \textbf{OK}. TSG will delete logs and reports that exceed the expiration period. It may take a long time, during which the maximum sustainable log rate will degrade. \item[STEP 3.] (\textcolor{gold}{Optional})To clear data once, click \textbf{Clear} to Clear Traffic Logs, Clear Reports and Metrics, Clear Files or Clear All Data. -\end{description} \ No newline at end of file +\end{description} + +\section*{\hypertarget{link:System Appearance}{System Appearance}} +\addcontentsline{toc}{section}{System Appearance} +\label{sec:setting:appearance} + +System appearance enables user to customize firewall’s logo, title and default language. +Go to \textbf{System} > \textbf{System Appearance} to upload your own logo, favicon, specify title, and select default language. \ No newline at end of file diff --git a/content/Appendix_Built-in_Category.tex b/content/Appendix_Built-in_Category.tex index 4fc1e9e..2961590 100644 --- a/content/Appendix_Built-in_Category.tex +++ b/content/Appendix_Built-in_Category.tex @@ -56,7 +56,7 @@ Built-in Category & travel & Sites with information about foreign countries, travel companies, travel fares, accommodations and everything else that has to do with travel including travel blogs.\\ \cline{2-3} & traffic & Sites concerning the business of commercial transportation by land, sea or air. \\ \cline{2-3} & violence & Sites about killing and harming people. Covers anything about brutality and bestiality. \\ \cline{2-3} - & Real Estate & Websites that promote the sale or renting of real estate properties.\\ \cline{2-3} + & Real Estate & Information on buying, selling or renting real estate or properties. Serve for buyers, sellers, landlords, renters, agents, and other home professionals. Work as a marketing channel for the professional service providers that contribute to the transaction. Realtors, mortgage professionals, banks, and inspectors can advertise on the website to generate leads.\\ \cline{2-3} & religion & Sites with religious content: all kind of churches, sects, religious interpretations and so on. \\ \cline{2-3} & weapons & Sites offering all kinds of weapons or accessories for weapons: Firearms, knifes, swords, bows... Armory shops are included as well as sites holding general information about arms (manufacturing, usage).\\ \cline{2-3} & Government and Legal Organizations & Government: Sites sponsored by branches, bureaus, or agencies of any level of government, except for the armed forces, including courts, police institutions, city-level government institutions. Legal Organizations: Sites that discuss or explain laws of various government entities.\\ \cline{2-3} diff --git a/content/Appendix_Log_Fields_Description.tex b/content/Appendix_Log_Fields_Description.tex index 635c704..2813e77 100644 --- a/content/Appendix_Log_Fields_Description.tex +++ b/content/Appendix_Log_Fields_Description.tex @@ -20,6 +20,8 @@ it will display columns that the user has previously configured. The fields with Proxy Event Logs & Base, HTTP and DoH \\\hline Session Records & All types except Radius \\\hline Radius Logs & Base and Radius \\\hline + VoIP Records & Base, SIP and RTP \\ \hline + GTP-C Records & Base and GTP-C \\ \hline \end{longtable} %\pdfbookmark[1]{Base}{Base} @@ -355,6 +357,24 @@ it will display columns that the user has previously configured. The fields with 2: s2c }} \\\hline \end{longtable} +\subsection*{\hypertarget{link:GTP-C}{GTP-C}} +\addcontentsline{toc}{subsection}{GTP-C} +\label{sec:appendix_c:protocol:GTP-C} + +\begin{longtable}{p{0.27\textwidth}|p{0.67\textwidth}} + \rowcolor{black}\multicolumn{1}{l!\vlinewhite}{\textcolor{white}{Field}} & \textcolor{white}{Description} \\\hline + gtp\_version & GTP-C version number \\\hline + gtp\_apn & Access Point Name \\\hline + gtp\_imei & International Mobile Equipment Identity \\\hline + gtp\_imsi & International Mobile Subscriber Identity \\\hline + gtp\_phone\_number & Phone Number \\\hline + gtp\_uplink\_teid & Up TEID \\\hline + gtp\_downlink\_teid & Down TEID \\\hline + gtp\_msg\_type & Create, modify, delete \\\hline + gtp\_end\_user\_ipv4 & IPV4 \\\hline + gtp\_end\_user\_ipv6 & IPV6 \\\hline +\end{longtable} + %\pdfbookmark[2]{RADIUS}{RADIUS} \subsection*{\hypertarget{link:RADIUS}{RADIUS}} \addcontentsline{toc}{subsection}{RADIUS} diff --git a/content/Appendix_Predefined_Applications.tex b/content/Appendix_Predefined_Applications.tex index 26d79a5..340020a 100644 --- a/content/Appendix_Predefined_Applications.tex +++ b/content/Appendix_Predefined_Applications.tex @@ -56,6 +56,7 @@ LDAP & 148 & business-systems & auth-service & (Lightweight Directory Access Protocol) A protocol used to access a directory listing in a TCP/IP network. LDAP is used to query network directories, email servers and other information repositories. \\ \hline RTMP & 149 & media & photo-video & (Real-Time Messaging Protocol) A proprietary streaming protocol from Adobe that is supported in its Flash Media Server/Adobe Media Server platforms. RTMP defines "virtual channels" that operate independently (audio, video, control messages, etc.).\\ \hline RTSP & 150 & media & photo-video & (RealTime Streaming Protocol) An application layer protocol used to transmit streaming audio, video and 3D animation over the Internet. It enables the user's client software to provide remote control of the server with functions such as pause, rewind and fast forward.\\ \hline + SSL with ESNI & 8008 & networking & encrypted & SSL with Encrypted SNI \\ \hline \end{longtable} \begin{longtable}{p{0.36\textwidth}|p{0.1\textwidth}|p{0.24\textwidth}|p{0.24\textwidth}} diff --git a/content/Decryption.tex b/content/Decryption.tex index 6f47912..c77577a 100644 --- a/content/Decryption.tex +++ b/content/Decryption.tex @@ -74,7 +74,7 @@ The digital certificates are used to ensure trust between parties in a secure co TSG trusts the most common and trusted authorities (CAs) by default. These trusted certificate providers are responsible for issuing the certificates TSG requires to secure connections to the internet. The additional CAs you might want to add are trusted enterprise CAs that your organization requires. You can perform the following to import a certificate: \begin{description} - \item[STEP 1.] Select \textbf{Settings} > \textbf{Certificate Managements} and select \textbf{Trusted Certificate Authorities} tab, Click \textbf{Import}. + \item[STEP 1.] Select \textbf{Profiles} > \textbf{Decryption} and select \textbf{Trusted Certificate Authorities} tab, Click \textbf{Import}. \item[STEP 2.] Add a \textbf{Name}. The name is case-sensitive and can have up to 128 characters. It can use only letters, numbers, hyphens, and underscores. \item[STEP 3.] Click \textbf{Please upload} and upload a PEM (base64-encoded) format file. \item[STEP 4.] Click \textbf{OK}. @@ -104,7 +104,7 @@ Note that the built-in certificate with ID 1(\#1) means trusted certificate, and You can perform the following to Import a Certificate and Private Key: \begin{description} - \item[STEP 1.] Select \textbf{Settings} > \textbf{Certificate Managements} and select \textbf{Decryption Keyrings} tab, Click \textbf{Create} + \item[STEP 1.] Select \textbf{Profiles} > \textbf{Decryption} > \textbf{SSL Decryption Keyrings}, Click \textbf{Create} \item[STEP 2.] Add a \textbf{Name}. The name is case-sensitive and can have up to 128 characters. \item[STEP 3.] \textbf{Please Upload} a \textbf{Certificate}. For Intermediate CA, certificate must be a complete chain. \item[STEP 4.] \textbf{Please Upload} a \textbf{Private Key File} separately. It supports PEM (base64-encoded) format only. @@ -164,7 +164,7 @@ SSL Decryption Exclusion can exclude two types of traffic from decryption: Perform the following to exclude a Server from Decryption: \begin{description} - \item[STEP 1.] Select \textbf{Settings} > \textbf{Certificate Managements} and select \textbf{SSL Decryption Exclusion} tab, Click \textbf{Create}. + \item[STEP 1.] Select \textbf{Profiles} > \textbf{Decryption} > \textbf{SSL Decryption Exclusion}, Click \textbf{Create}. \item[STEP 2.] Enter an \textbf{FQDN}, it supports suffix matching and exactly matching only. E.g. *.example.com, \$www.example.com. \item[STEP 3.] Enter a \textbf{Description}. The description can have up to 255 characters. \item[STEP 4.] Click \textbf{OK}. @@ -182,8 +182,8 @@ You can search exclusion list based on ID and Name. Enter search conditions in s \addcontentsline{toc}{subsection}{Cached Intermediate Certificates} \label{sec:decrypt:certificate:cached} -TSG will automatically cache intermediate certificates. You can select \textbf{Settings} > \textbf{Certificate Managements} -and select \textbf{Cached Intermediate Certificates} tab to view detailed information about these Intermediate Certificates. +TSG will automatically cache intermediate certificates. You can select \textbf{Profiles} > \textbf{Decryption} +and select \textbf{Cached Intermediate Certificates} to view detailed information about these Intermediate Certificates. These Intermediate Certificates are issued by Trusted Certificate Authorities, which is an effort to amend the incomplete certificate chain. TSG will collect the following information: source website, issuer by, issuer to, Cn, and expiry date. @@ -228,7 +228,7 @@ The overall process is as follows: Perform the following steps to create an SSL fingerprint: \begin{description} - \item[STEP 1.] Select \textbf{Settings} > \textbf{Certificate Managements}, select \textbf{SSL Fingerprint} tab, and click \textbf{Create}. + \item[STEP 1.] Select \textbf{Profiles} > \textbf{Decryption} > \textbf{SSL Fingerprint}, and click \textbf{Create}. \item[STEP 2.] Add a \textbf{JA3 Hash}. \item[STEP 3.] Select Yes or No for \textbf{Pinning}. \item[STEP 4.] (\textcolor{gold}{Optional})Enter a \textbf{Description}. The description can have up to 1024 characters. @@ -261,7 +261,7 @@ you can specify a Response Code and a Response Content to generate an error page or you could upload a html file via \textbf{Proxy Profile} > \textbf{Response Pages}. \begin{description} - \item[STEP 1.] Select \textbf{Settings} > \textbf{Proxy Profile}, select \textbf{Response Pages} tab, and click \textbf{Create}. + \item[STEP 1.] Select \textbf{Profiles} > \textbf{Response Pages} tab, and click \textbf{Create}. \item[STEP 2.] Add a \textbf{Name}. The name is case-sensitive and can have up to 128 characters. \item[STEP 3.] Please Upload a \textbf{File}. Allow html/htm format only. \end{description} @@ -276,10 +276,10 @@ You can search page list based on ID and Name. Enter search conditions in search \addcontentsline{toc}{subsection}{Insert Scripts} \label{sec:decrypt:profile:insert} -The Proxy Policy can insert a “js” or “css” scripts to webpages. You can upload a script via \textbf{Proxy Profile} > \textbf{Insert Scripts}. +The Proxy Policy can insert a “js” or “css” scripts to webpages. You can upload a script via \textbf{Proxy} > \textbf{Insert Scripts}. \begin{description} - \item[STEP 1.] Select \textbf{Settings} > \textbf{Proxy Profile}, select \textbf{Insert Script}s tab, and click \textbf{Create}. + \item[STEP 1.] Select \textbf{Profiles} > \textbf{Proxy} > \textbf{Insert scripts}, and click \textbf{Create}. \item[STEP 2.] Add a \textbf{Name}. The name is case-sensitive and can have up to 128 characters. \item[STEP 3.] Please Upload a \textbf{Script}. Allow js” and “css” only. \item[STEP 4.] Select a \textbf{Script Type} from drop-down. @@ -296,10 +296,10 @@ You can search scripts list based on ID and Name. Enter search conditions in sea \addcontentsline{toc}{subsection}{Hijack Files} \label{sec:decrypt:profile:hijack} -The Proxy Policy can hijack a downloading file or page. You can upload a file, img or html for hijack via \textbf{Proxy Profile} > \textbf{Hijack Files}. +The Proxy Policy can hijack a downloading file or page. You can upload a file, img or html for hijack via \textbf{Proxy} > \textbf{Hijack Files}. \begin{description} - \item[STEP 1.] Select \textbf{Settings} > \textbf{Proxy Profile}, select \textbf{Hijack Files} tab, and click \textbf{Create}. + \item[STEP 1.] Select \textbf{Profiles} > \textbf{Proxy} > \textbf{Hijack Files}, and click \textbf{Create}. \item[STEP 2.] Add a \textbf{Name}. The name is case-sensitive and can have up to 64 characters. \item[STEP 3.] Please Upload a \textbf{File}. Allow img, exe, apk, and html type only. \item[STEP 4.] Enable Mirror Server Response or enter a \textbf{Download Name}. @@ -314,8 +314,8 @@ Click \textbf{Edit} or \textbf{Delete} at the top left. To download it, you can You can search file list based on ID and Name. Enter search conditions in search bar and click search icon. %\pdfbookmark[2]{Traffic Mirror Profiles}{Traffic Mirror Profiles} -\subsection*{\hypertarget{link:Traffic Mirror Profiles}{Traffic Mirror Profiles}} -\addcontentsline{toc}{subsection}{Traffic Mirror Profiles} +\subsection*{\hypertarget{link:Decryption Mirror Profiles}{Decryption Mirror Profiles}} +\addcontentsline{toc}{subsection}{Decryption Mirror Profiles} \label{sec:decrypt:profile:mirror} You also can mirror proxied traffic (decrypted) to third-party servers by referring a traffic mirror profile. The destination servers are described with VLAN Tag or MAC addresses, traffic will be load balanced over multiple servers of one profile. @@ -324,7 +324,7 @@ You also can mirror proxied traffic (decrypted) to third-party servers by referr You can manage the profile by the following procedure: \begin{description} - \item[STEP 1.] Select \textbf{Settings} > \textbf{Proxy Profile}, select \textbf{Traffic Mirror Profiles} tab, and click \textbf{Create}. + \item[STEP 1.] Select \textbf{Profiles} > \textbf{Proxy} > \textbf{Decryption Mirror Profiles} tab, and click \textbf{Create}. \item[STEP 2.] Add a \textbf{Name}. The name is case-sensitive and can have up to 128 characters. \item[STEP 3.] Select VLAN or MAC as your \textbf{Connectivity} from drop-down. \item[STEP 4.] Enter \textbf{VLAN ID/MAC}. Make sure to input valid mirror destination MAC address. @@ -478,7 +478,7 @@ HTTP/2 is a major revision of the HTTP network protocol that provide increased s Perform the following to create a decryption profile: \begin{description} - \item[STEP 1.] Select \textbf{Settings} > \textbf{Proxy Profile}, select \textbf{Decryption Profile} tab, and click \textbf{Create}. + \item[STEP 1.] Select \textbf{Profiles} > \textbf{Decryption} > \textbf{SSL Decryption Profile}, and click \textbf{Create}. \item[STEP 2.] Add a \textbf{Name}. The name is case-sensitive and can have up to 128 characters. \item[STEP 3.] Enable or disable the following certificate checks: \textbf{Common Name}, \textbf{Issuer}, \textbf{Self-signed} and \textbf{Expiry Date}. If you enable Common Name, select Fail-close or Pass-through as your \textbf{Fail Action}. \item[STEP 4.] Enable or disable the following Dynamic bypass: \textbf{EV Certificate}, \textbf{Certificate Transparency}, \textbf{Mutual Authentication}, \textbf{On Protocol Errors}, \textbf{Certificate Pinning}, \textbf{Certificate Not Installed}. diff --git a/content/Getting_Started.tex b/content/Getting_Started.tex index d1ea6f9..bef3111 100644 --- a/content/Getting_Started.tex +++ b/content/Getting_Started.tex @@ -82,6 +82,11 @@ This manual is for TSG operators, system administrators and implementation perso \addcontentsline{toc}{section}{Logging into the System} \label{sec:intro:logging} +%\pdfbookmark[2]{Logging into the Web Interface}{Logging into the Web Interface} +\subsection*{\hypertarget{link:Logging into the Web Interface}{Logging into the Web Interface}} +\addcontentsline{toc}{subsection}{Logging into the Web Interface} +\label{sec:intro:logging:for} + You can use the Web Interface to perform configuration and monitoring tasks with relative ease. This graphical interface allows you to access TSG using HTTP and it is the best way to perform administrative tasks. @@ -101,12 +106,6 @@ However, the best practice is to install the latest version. \notemark\textit{Lightweight Directory Access Protocol (LDAP) is a standard protocol for accessing information directories. You can connect to an LDAP server when you set the Authentication Mode to LDAP.} - -%\pdfbookmark[2]{Logging into the Web Interface}{Logging into the Web Interface} -\subsection*{\hypertarget{link:Logging into the Web Interface}{Logging into the Web Interface}} -\addcontentsline{toc}{subsection}{Logging into the Web Interface} -\label{sec:intro:logging:for} - %\pdfbookmark[2]{Changing Your Password}{Changing Your Password} \subsection*{\hypertarget{link:Changing Your Password}{Changing Your Password}} \addcontentsline{toc}{subsection}{Changing Your Password} @@ -116,12 +115,32 @@ You should periodically change your password. The following procedure explains h \begin{description} - \item[STEP 1.]Select \textbf{Administration} > \textbf{Users} and find your account item in the list. + \item[STEP 1.]Select \textbf{Administration} > \textbf{Admins} and find your account item in the list. \item[STEP 2.]Click the item in the list, then click \textbf{Edit}. \item[STEP 3.]Check your account information and enter your new password. \item[STEP 4.]Click \textbf{OK}.\\ \end{description} +\subsection*{\hypertarget{link:Logged In Admins}{Logged In Admins}} +\addcontentsline{toc}{subsection}{Logged In Admins} +\label{sec:intro:logging:Logged} + +TSG administrator can view users’ login status, time, IP address, and disconnect logged in users. When two system users login with the same account, +the latter will disconnect the former automatically. + +\subsection*{\hypertarget{link:Admins and Two-Factor Authentication}{Admins and Two-Factor Authentication}} +\addcontentsline{toc}{subsection}{Admins and Two-Factor Authentication} +\label{sec:intro:logging:2fa} + +To configure current account preference, you can click \textbf{My Account} in the upper right corner. You can configure default Language and/or Line per page here. + + +To prevent unauthorized users from gaining access to an account with nothing more than a stolen password. +TSG users can enable Two-Factor authentication strengthen the security of an account. +Two-factor authentication is a combination of two of the following: your password and a text with a code sent to your smartphone or other device. +It is recommended to use cloud-based mobile authenticator apps such as GOOGLE Authenticator, Microsoft Authenticator. + + %\pdfbookmark[2]{Login Restrictions}{Login Restrictions} \subsection*{\hypertarget{link:Login Restrictions}{Login Restrictions}} \addcontentsline{toc}{subsection}{Login Restrictions} @@ -171,7 +190,7 @@ Use the following workflow set up a very basic Security policy. This gives you a \end{enumerate} \item[STEP 2.] (\textcolor{gold}{Optional})To verify that you have set up your basic policies effectively, test whether your Security policy rules are being evaluated and determine which Security policy rule applies to a traffic flow. For example, to verify the policy rule that will be applied for a client with the IP address 192.168.0.1 when it sends a HTTP request to the 172.16.0.1 server: \begin{enumerate} - \item Select \textbf{Settings} > \textbf{Trouble Shooting} and select \textbf{Policy Verify} tab. + \item Select \textbf{System} > \textbf{Trouble Shooting} > \textbf{Policy Verify}. \item Select \textbf{Security Policy Match} from the \textbf{Select Test} drop-down. \item Enter the \textbf{Client IP} and \textbf{Server IP} addresses. \item Specify the \textbf{Client Port} and \textbf{Server Port}. @@ -220,7 +239,7 @@ You can perform the following to set up a basic proxy policy. \\ \item[STEP 2.] (\textcolor{gold}{Optional})To verify that you have set up your basic policies effectively, test whether your Proxy Policy rules are being evaluated and determine which Proxy Policy rule applies to a traffic flow. \begin{enumerate} - \item Select \textbf{Settings} > \textbf{Trouble Shooting} and select \textbf{Policy Verify} tab. + \item Select \textbf{System} > \textbf{Trouble Shooting} > \textbf{Policy Verify}. \item Select \textbf{Proxy Policy Match} from the \textbf{Select Test} drop-down. \item Enter the \textbf{Client IP} and \textbf{Server IP} addresses or leave it set to default. \item Specify the \textbf{Client Port} and \textbf{Server Port} or leave it set to default. @@ -317,7 +336,7 @@ and the detail pages of Policies and Objects are locked. Perform the following steps to add a LOCAL administrative account on TSG.\\ \begin{description} - \item[STEP 1.] Select \textbf{Administration} > \textbf{Users}, select tab Users and click \textbf{Create}. + \item[STEP 1.] Select \textbf{Administration} > \textbf{Admins}, select tab Users and click \textbf{Create}. \item[STEP 2.] Enter a \textbf{Name} to identify the account. \item[STEP 3.] Enter your \textbf{User Name} which is the login name and \textbf{Password}. \item[STEP 4.] Please \textbf{Confirm Password}. @@ -328,14 +347,14 @@ Perform the following steps to add a LOCAL administrative account on TSG.\\ For details, see \hyperlink{link:Roles and Permissions}{\textcolor{linkblue}{Roles and Permissions}}. \item[STEP 8.] Click \textbf{OK}. \item[STEP 9.] (\textcolor{gold}{Optional})To verify that you have add a TSG account effectively, you can \textbf{Sign Out} and log into the system with the new account. - Select \textbf{Administration} > \textbf{Login Log} and you can view your login information. + Select \textbf{System Logs} > \textbf{Login Log} and you can view your login information. \end{description} If compliance, audit, or security requirements stipulate that the default administrative account must be removed from your devices, you can remove it after you create at least one other superuser administrative account. You cannot remove the default administrative account until you configure at least one other superuser administrative account on the device. Perform the following steps to delete an account on TSG.\\ \begin{description} - \item[STEP 1.] Select tab Users of \textbf{Administration} > \textbf{Users} and find the item you want to delete in the list. + \item[STEP 1.] Select tab Users of \textbf{Administration} > \textbf{Admins} and find the item you want to delete in the list. \item[STEP 2.] Click \textbf{Delete} at the top left. Click \textbf{Delete} to confirm. \end{description} If you wish to temporarily disable an account, you can search it by User Name or Name at the top right search box. @@ -363,7 +382,7 @@ Perform the following to create a new role: \begin{description} - \item[STEP 1.] Select \textbf{Administration} > \textbf{Users}, select tab Roles and click \textbf{Create}. + \item[STEP 1.] Select \textbf{Administration} > \textbf{Admins}, select tab Roles and click \textbf{Create}. \item[STEP 2.] Enter a \textbf{Name} to identify the role. \item[STEP 3.] (\textcolor{gold}{Optional})Enter your \textbf{Description}. \item[STEP 4.] Click the icon before each \textbf{Menu} to switch the permission levels, which defines different permissions. @@ -371,7 +390,7 @@ Perform the following to create a new role: \end{description} -\notemark\textit{It is recommended to configure the same access permission for Policies, Objects and Settings menu, because their data are related. +\notemark\textit{It is recommended to configure the same access permission for Policies, Objects and System menu, because their data are related. Make sure Devices are enabled before you enable Dashboard, because Devices affects the reading of data for device module in Dashboard.} @@ -384,7 +403,7 @@ Configuring TSG to connect to a LDAP server enables you to login in LDAP Authent \begin{description} - \item[STEP 1.] Select \textbf{Administration} > \textbf{LDAP Server} and click \textbf{Create}. + \item[STEP 1.] Select \textbf{System} > \textbf{Server Profiles} > \textbf{LDAP Server} and click \textbf{Create}. \item[STEP 2.] Define a \textbf{Name} to specify the LDAP server. \item[STEP 3.] Enter your \textbf{Host} and \textbf{Port} of the LDAP server. \item[STEP 4.] Enter your \textbf{User Name}, which is the administrative user of LDAP server, and \textbf{User Mapper} which specifies the hierarchy of LDAP user. @@ -395,14 +414,14 @@ Configuring TSG to connect to a LDAP server enables you to login in LDAP Authent After setting LDAP server, you can login using the LDAP accounts of enrolled LDAP server. -After a LDAP account login TSG first time, the LDAP accounts will show on the tab \textbf{Users} of \textbf{Administration} > \textbf{Users}. +After a LDAP account login TSG first time, the LDAP accounts will show on the tab \textbf{Admins} of \textbf{Administration} > \textbf{Admins}. The column Source indicates the type of account which is shown as LDAP for LDAP account. The column User name includes the full path for LDAP user, and the value of “uid” is the actual login username on TSG. When logging into TSG system for the first time with LDAP user, TSG system will assign the user the role supperreader by default. If the LDAP user requires other role permissions, you need to login by other users who have permission to modify a user’s role to modify it. -In \textbf{Administration} > \textbf{LDAP Server} page, you can view the LDAP Server list. Operator displays who has modified the item, and it can be a LOCAL or LDAP account. +In \textbf{Server Profiles} > \textbf{LDAP Server} page, you can view the LDAP Server list. Operator displays who has modified the item, and it can be a LOCAL or LDAP account. Select the item you wish to change in the list and click \textbf{Edit} to modify LDAP server information. You can delete or disable the LDAP server and after that you will not be able to log into the system with the LDAP account. @@ -413,7 +432,7 @@ You can delete or disable the LDAP server and after that you will not be able to If you perform an operation which influence the running of TSG, TSG will generate a log about this action. For example, Audit Log will record the operations of adding or deleting or updating an object or policy, or clearing traffic logs, etc. -You can view \textbf{Administration} > \textbf{Audit Log} to see details. You can query audit logs within certain time range by ID, Source IP or Target Type. +You can view \textbf{System Logs} > \textbf{Audit Log} to see details. You can query audit logs within certain time range by ID, Source IP or Target Type. Audit logs can be exported as trace evidence. And when you are editing a policy or an object, you will find a link to audit log about this policy or object. %\pdfbookmark[2]{Mail Server}{Mail Server} @@ -427,8 +446,8 @@ Configure Mail Server to send mail alerts, which is currently used to send repor \begin{description} \item[STEP 1.] If you perform an operation which influence the running of TSG, TSG will generate a log about this action. For example, Audit Log will record the operations of adding or deleting or updating an object or policy, or clearing traffic logs. - You can view \textbf{Administration} > \textbf{Audit Log} to see details. - \item[STEP 2.] Select \textbf{Administration} > \textbf{Mail Server}. + You can view \textbf{Administration} > \textbf{Audit Logs} to see details. + \item[STEP 2.] Select \textbf{Server Profiles} > \textbf{EMail Servers}. \item[STEP 3.] For Simple Mail Transport Protocol (SMTP) server (email server), Add a \textbf{Server} and \textbf{Port}. \item[STEP 4.] Enable \textbf{Need Authentication}. \item[STEP 5.] Define a \textbf{Name} to identify the SMTP server (1-32characters). This field is just a label and doesn’t have to be the hostname of an existing email server. diff --git a/content/Monitoring.tex b/content/Monitoring.tex index 8b456ab..23ba306 100644 --- a/content/Monitoring.tex +++ b/content/Monitoring.tex @@ -40,6 +40,7 @@ The TSG Dashboard include two sub menus, Main Board and Live Chart. Main Board s \multirow{5}{*}{Endpoints} & Active Client IP & Displays Active Client IP by Sessions, Packets and bytes. You can view either the tables, pies or bars. \\ \cline{2-3} & Active Server IP & Displays Active Server IP by Sessions, Packets and bytes. You can view either the tables, pies or bars. \\ \cline{2-3} & Active Subscriber ID & Displays Active Subscriber ID by sessions, Packets and bytes. You can view either the tables, pies or bars. \\ \cline{2-3} + & Top APP & Displays Top APP by Sessions, Packets and Bytes. You can view either the table, pie or bar. \\ \cline{2-3} & Top URLs & Displays Top URLs of Security and Proxy Policy Hits by session count. You can view either the tables or bars. \\ \cline{2-3} & Top Domains & Displays Top Domains by sessions, Packets and bytes. You can view either the tables, pies or bars. \\ \hline \multirow{3}{*}{\tabincell{l}{Proxy Policy\\ Hits}} & Proxy Policy Hits by action & Hits are the times that traffic matched the criteria you defined in the Proxy Policy rule. A display of Proxy Policy Hits by action within the current time scope. You can view the Number of hit action by Sessions, Packets and bytes number. \\ \cline{2-3} @@ -69,7 +70,9 @@ Live Chart show network summary, survey statistics, throughput and protocol info \addcontentsline{toc}{section}{View and Manage Logs} \label{sec:monitor:log} -A log is an automatically generated, time-stamped file that provides an audit trail for network traffic events that TSG monitors. Log records contain columns, which are properties, activities, or behaviors associated with the logged event. Each log type records information for a different event type. You can see the following 4 log types in the Log pages. +A log is an automatically generated, time-stamped file that provides an audit trail for network traffic events that TSG monitors. +Log records contain columns, which are properties, activities, or behaviors associated with the logged event. +Each log type records information for a different event type. You can see the following 6 log types in the Log pages. • Security Event Logs @@ -83,6 +86,12 @@ A log is an automatically generated, time-stamped file that provides an audit tr • Radius Logs + +• VoIP Records + + +• GTP-C Records + %\pdfbookmark[2]{Log Types}{Log Types} \subsection*{\hypertarget{link:Log Types}{Log Types}} \addcontentsline{toc}{subsection}{Log Types} @@ -98,6 +107,7 @@ Session Records • Session records regardless of policy configuration; it shows all traffic that is allowed on your network. Traffic logs display an entry for the start and end of each session. +TSG Session records display Transaction records when clicking more. Session records also consist of GTP, MPLS information. You can view live sessions in session records, but reports do not include live sessions. Radius Logs @@ -108,6 +118,18 @@ TSG will keep track of radius traffic information, including Packet Type, Accoun You can use the Account information in radius log to create \hyperlink{link:Subscriber ID}{\color{linkblue}{Subscriber ID}} object. +VoIP Records + + +• Voice over IP (VoIP) requires faster speeds and time-sensitive, real-time delivery. It mainly uses RTP as its media protocol to deliver multimedia sessions and Session Initiation Protocol (SIP) for signaling. SIP can open dynamic pinholes in the firewall where NAT is enabled. TSG only supports t VoIP calls using SIP for signaling and RTP for delivering audio data. TSG will keep track of VoIP traffic regarding general info, action, source, destination, application, transmission and SIP fields. + + +GTP-C Records + + +• GTP-C records composed of GTP-C version (v1 or v2), International Mobile Equipment Identity (IMEI), APN and Phone Number. + + Please refer to \hyperlink{link:Appendix C Log Fields Description}{\color{linkblue}{Appendix C Logs Fields Description}} for more details. %\pdfbookmark[2]{View Logs}{View Logs} @@ -152,9 +174,9 @@ TSG log filter supports search by multiple fields in AND/OR relation. You can pe \begin{description} \item[STEP 1.] Select \textbf{Logs}. Select a log type from the list. For example, \textbf{Proxy Event Logs}. \item[STEP 2.] Select the time period picker. By default, it shows logs of \textbf{Last 1 hour}. - \item[STEP 3.] Click \textbf{Add Filter} to add search term. The supported search fields are: Log ID, Policy ID, Subscriber ID, Client IP, Internal IP, Client Port, - Server IP, Server Port, External IP, Action, Sled IP, Schema Type, Data Center, Session ID, TCP Client ISN, TCP Server ISN, Http.URL, Http.Domain, SSL.SNI and SSL. JA3 hash. - Then, select \textbf{Operator}, such as =, !=, in, not in, like, not like, notEmpty, empty. And input the value. If you wish to add multiple search fields, click Add Filter again, and proceed. + \item[STEP 3.] Click \textbf{Add Filter} to add search term. The supported search fields are: Log ID, Policy ID, Subscriber ID, IMEI, IMSI, Phone Number, Client IP, Internal IP, Client Port, + Server IP, Server Port, External IP, Action, Sled IP, Schema Type, Data Center, Application Label, FQDN Category, Session ID, TCP Client ISN, TCP Server ISN, Http.URL, Http.Domain, SSL.SNI and SSL. JA3 hash etc. + Then, select \textbf{Operator}, such as =, !=, in, not in, like, not like, notEmpty, empty, HAS. And input the value. If you wish to add multiple search fields, click Add Filter again, and proceed. TSG support \textbf{AND}/\textbf{OR} relations between search fileds. For example, enter Client IP 192.168.50.62 and Action Deny to display only entries that contain both fields in the log. \end{description} @@ -249,8 +271,14 @@ This consideration guides you in making the following selections in a custom rep • Session Records - • Radius Logs \\\hline - Group by & Collect data from multiple records and group the results by one or more fields (columns). + • Radius Logs + + + • VoIP Records + + + • GTP-C Records \\\hline + Group by & Collect data from multiple records and group the results by one or more fields (columns). Click the "+" button to add variable. @@ -317,6 +345,10 @@ This consideration guides you in making the following selections in a custom rep Server ASN\\ Start Time\\ End Time\\ + IMEI\\ + IMSI\\ + Phone Number\\ + Application Label\\ Http.Host\\ Http.Domain\\ Http.URL\\ @@ -343,6 +375,10 @@ This consideration guides you in making the following selections in a custom rep Sequence Gap\\ Loss(s2c)\\ Unorder Packets\\(c2s)\\ Unorder Packets\\(s2c)\\ + IMEI\\ + IMSI\\ + Phone Number\\ + Application Label\\ Http.Host\\ Http.Domain\\ Http.URL\\ @@ -382,6 +418,10 @@ This consideration guides you in making the following selections in a custom rep End Time\\ Duration(ms)\\ Establish Latency(ms)\\ + IMEI\\ + IMSI\\ + Phone Number\\ + Application Label\\ Http.Host\\ Http.Domain\\ Http.URL\\ @@ -408,6 +448,10 @@ This consideration guides you in making the following selections in a custom rep Server ASN\\ Start Time\\ End Time\\ + IMEI\\ + IMSI\\ + Phone Number\\ + Application Label\\ Http.Host\\ Http.Domain\\ Http.URL\\ @@ -433,6 +477,10 @@ This consideration guides you in making the following selections in a custom rep Bytes Received\\ Duration(ms)\\ Establish\\ Latency(ms)\\ + IMEI\\ + IMSI\\ + Phone Number\\ + Application Label\\ Http.Host\\ Http.Domain\\ Http.URL\\ @@ -476,6 +524,10 @@ This consideration guides you in making the following selections in a custom rep End Time\\ Duration(ms)\\ Establish Latency(ms)\\ + IMEI\\ + IMSI\\ + Phone Number\\ + Application Label\\ Http.Host\\ Http.Domain\\ Http.URL @@ -527,6 +579,9 @@ This consideration guides you in making the following selections in a custom rep Data Center\\ Client ASN\\ Server ASN\\ + IMEI\\ + IMSI\\ + Phone Number\\ Http.Host\\ Http.Domain\\ Http.URL\\ @@ -547,7 +602,8 @@ This consideration guides you in making the following selections in a custom rep Http.URL\\ DoH.Host\\ DoH.QNAME\\ - Log ID} & \tabincell{l}{Policy ID\\ + Log ID\\ + Phone Number} & \tabincell{l}{Policy ID\\ Sub Action\\ Address Type\\ Server IP\\ @@ -572,7 +628,204 @@ This consideration guides you in making the following selections in a custom rep Http.URL\\ Http.Content Type\\ DoH.Host\\ - DoH.QNAME} \\ \hline + DoH.QNAME\\ + Phone Number} \\ \hline + \tabincell{l}{VoIP\\ Records} & \tabincell{l}{Server IP\\ + Client IP\\ + Internal IP\\ + External IP\\ + Sled IP\\ + Device ID\\ + Client Location\\ + Server Location\\ + Subscriber ID\\ + Client Port\\ + Server Port\\ + Schema Type\\ + L4 Protocol\\ + L7 Protocol\\ + Data Center\\ + Client ASN\\ + Server ASN\\ + Start Time\\ + End Time\\ + SIP.Call-ID\\ + SIP.Originator\\ + SIP.Responder\\ + SIP.User-Agent\\ + SIP.Server\\ + SIP.Duration\\ + SIP.Bye\\ + RTP.Payload\\ Type(c2s)\\ + RTP.Payload\\ Type(s2c)\\ + RTP.Direction\\ + Receive Time + } + & \tabincell{l}{Server IP\\ + Client IP\\ + Internal IP\\ + External IP\\ + Subscriber ID\\ + Sled IP\\ + Device ID\\ + Packets Sent\\ + Packets Received\\ + Bytes Sent\\ + Bytes Received\\ + Sessions\\ + Duration(ms)\\ + Establish\\ Latency(ms)\\ + Fragmentation\\ Packets(c2s)\\ + Fragmentation\\ Packets(s2c)\\ + Sequence Gap\\ Loss(c2s)\\ + Sequence Gap\\ Loss(s2c)\\ + Unorder Packets\\(c2s)\\ + Unorder Packets\\(s2c)\\ + SIP.Call-ID\\ + SIP.Originator\\ + SIP.Responder\\ + SIP.User-Agent\\ + SIP.Server\\ + SIP.Duration\\ + Log ID} & \tabincell{l}{Address Type\\ + Server IP\\ + Client IP\\ + Internal IP\\ + External IP\\ + Client Port\\ + Server Port\\ + Client Location\\ + Server Location\\ + Subscriber ID\\ + Packets Sent\\ + Packets Received\\ + Bytes Sent\\ + Bytes Received\\ + Fragmentation Packets(c2s)\\ + Fragmentation Packets(s2c)\\ + Sequence Gap Loss(c2s)\\ + Sequence Gap Loss(s2c)\\ + Unorder Packets(c2s)\\ + Unorder Packets(s2c)\\ + L4 Protocol\\ + L7 Protocol\\ + Stream Direction\\ + Direction\\ + Data Center\\ + Sled IP\\ + Device ID\\ + Schema Type\\ + Client ASN\\ + Server ASN\\ + Start Time\\ + End Time\\ + Duration(ms)\\ + Establish Latency(ms)\\ + SIP.Call-ID\\ + SIP.Originator\\ + SIP.Responder\\ + SIP.User-Agent\\ + SIP.Server\\ + SIP.Duration\\ + SIP.Bye\\ + RTP.Payload Type(c2s)\\ + RTP.Payload Type(s2c)\\ + RTP.Direction + } \\ \hline + \tabincell{l}{GTP-C\\ Records} & \tabincell{l}{Server IP\\ + Client IP\\ + Internal IP\\ + External IP\\ + Sled IP\\ + Device ID\\ + Client Location\\ + Server Location\\ + Subscriber ID\\ + Client Port\\ + Server Port\\ + Schema Type\\ + L4 Protocol\\ + L7 Protocol\\ + Data Center\\ + Client ASN\\ + Server ASN\\ + Start Time\\ + End Time\\ + Version\\ + APN\\ + IMEI\\ + IMSI\\ + Phone Number\\ + Receive Time} + & \tabincell{l}{Server IP\\ + Client IP\\ + Internal IP\\ + External IP\\ + Subscriber ID\\ + Sled IP\\ + Device ID\\ + Packets Sent\\ + Packets Received\\ + Bytes Sent\\ + Bytes Received\\ + Sessions\\ + Duration(ms)\\ + Establish\\ Latency(ms)\\ + Fragmentation\\ Packets(c2s)\\ + Fragmentation\\ Packets(s2c)\\ + Sequence Gap\\ Loss(c2s)\\ + Sequence Gap\\ Loss(s2c)\\ + Unorder Packets\\(c2s)\\ + Unorder Packets\\(s2c)\\ + Version\\ + APN\\ + IMEI\\ + IMSI\\ + Phone Number\\ + Log ID} & \tabincell{l}{Address Type\\ + Server IP\\ + Client IP\\ + Internal IP\\ + External IP\\ + Client Port\\ + Server Port\\ + Client Location\\ + Server Location\\ + Subscriber ID\\ + Packets Sent\\ + Packets Received\\ + Bytes Sent\\ + Bytes Received\\ + Fragmentation Packets(c2s)\\ + Fragmentation Packets(s2c)\\ + Sequence Gap Loss(c2s)\\ + Sequence Gap Loss(s2c)\\ + Unorder Packets(c2s)\\ + Unorder Packets(s2c)\\ + L4 Protocol\\ + L7 Protocol\\ + Stream Direction\\ + Direction\\ + Data Center\\ + Sled IP\\ + Device ID\\ + Schema Type\\ + Client ASN\\ + Server ASN\\ + Start Time\\ + End Time\\ + Duration(ms)\\ + Establish Latency(ms)\\ + Version\\ + APN\\ + IMEI\\ + IMSI\\ + Phone Number\\ + End User Address V4\\ + End User Address V6\\ + Uplink TEID\\ + Downlink TEID\\ + Message Type} \\ \hline \end{longtable} \item[] \notemark\textit{Viewing the SQL query of an existing dataset.\\ diff --git a/content/Objects.tex b/content/Objects.tex index 0ce574f..e995f9f 100644 --- a/content/Objects.tex +++ b/content/Objects.tex @@ -68,6 +68,15 @@ You can create the following policy objects on TSG. A policy object consists of \tabincell{l}{URLs/\\URL Group} & A Uniform Resource Locator, colloquially termed a web address, is a reference to a web resource that specifies its location on a computer network and a mechanism for retrieving it. A typical URL could have the form http://www.example.com/index.html, which indicates a protocol (http), a hostname (www.example.com), and a file name (index.html). Here the protocol is not allowed when adding. Support exactly matching, prefix matching, suffix matching, and substring matching \\\hline \tabincell{l}{Categories/\\Category Group} & Category classifies websites based on site content, features, and safety. Once created, the category can be selected as a filter of a policy. This means that a policy will only allow or block requests that match the category. For details, please refer to \hyperlink{link:Categories}{\color{linkblue}{Categories}}.\\\hline \tabincell{l}{Accounts/\\Account Group} & Stores the account information for your application. For example, you can add your email account as a filter when creating a policy using MAIL application. Support exactly matching, prefix matching, suffix matching and substring matching. \\\hline + \tabincell{l}{Mobile Identities/\\Mobile Identity\\ Group} & Consists of IMSI and Phone Number. Both are string type, composed of decimal numbers with maximum 15 digits. IMSI only supports prefix matching. Phone Number supports exactly matching, prefix matching, suffix matching and substring matching. \\\hline + \tabincell{l}{APNs/\\APN Group} & Access Point Name of GTP users. + + + String type with format like FQDN. + + + Support exactly matching and suffix matching. \\\hline + \tabincell{l}{Applications} & Applications, a patented traffic classification system available in TSG firewalls, determines what an application is irrespective of port, protocol, encryption or any other evasive tactic used by the application. It applies multiple classification mechanisms—application signatures, application protocol decoding, and heuristics—to your network traffic stream to accurately identify applications. An Application allows you to filter applications dynamically. \\\hline \end{longtable} @@ -116,6 +125,9 @@ You can also import objects by clicking the import icon. Only csv and txt format \notemark\textit{The TSG system only provides the export of objects with items, but object group with subordinate object are not allowed to be exported.} +TSG allows searching objects based on ID, Name, Description, Operator, Time etc. + + Select the checkbox for objects in the list and Click \textbf{Watch} at the bottom to add to Watch List. And then you can click the star icon in the bottom right and select Object tab to view the Watch List. You can search objects by ID and Name in the list. %\pdfbookmark[1]{IP Addresses}{IP Addresses} @@ -168,7 +180,7 @@ IP Libraries map geographic locations to IP addresses. TSG provides built-in IP The following steps guide you to Create Geography: \begin{description} - \item[STEP 1.] Select \textbf{Settings} > \textbf{Advanced} > \textbf{IP Libraries}, and click \textbf{Create}. + \item[STEP 1.] Select \textbf{System} > \textbf{IP Libraries}, and click \textbf{Create}. \item[STEP 2.] Create Geography. \begin{enumerate} \item Select geography \textbf{Type} between Country and City, if you select Country, you need to select \textbf{Continent} field. Here, select City as an example. @@ -207,7 +219,7 @@ You can perform the following to create a Subscriber ID: \addcontentsline{toc}{section}{Categories} \label{sec:objects:category} -Category classifies websites based on site content, features, safety and so on. TSG firewall has built-in categories. +Category classifies websites based on site content, features, safety and so on. TSG firewall has built-in categories.TSG allows users to create user-defined categories. One FQDN may belong to multiple categories. Please refer to \hyperlink{link:Appendix A Built-in Category}{\color{linkblue}{Appendix A Built-in Category}} for more details. @@ -226,7 +238,9 @@ AppSketch is a traffic classification system available in TSG firewalls, determi The firewall identifies application with predefined and customized signature. The TSG firewall uses protocol decoding in the content inspection stage to determine one application from the other. After the firewall identifies the session application, security policy can be enforced as configured. The identified application as well as IP, port, protocol, Subscriber ID, FQDN and URL in the session is used as key to find rule match. -When creating a security policy, there are built-in protocols and well-known Applications and customized Applications in the list. You can search the application you want to fill in. You can also use application selector and group as objects in policy +When creating a security policy, there are built-in protocols and well-known Applications and customized Applications in the list. +You can search the application you want to fill in. You can also use application selector and group as objects in policy. +TSG reports enable you to show statistics about bytes sent and received based on Application Label and IP address. See \textbf{Monitoring} > \textbf{View and Manage Reports} for details. %\pdfbookmark[2]{Signatures}{Signatures} \subsection*{\hypertarget{link:Signatures}{Signatures}} @@ -271,7 +285,9 @@ The following demonstrates how to create a customized signature. \notemark\textit{Within the same signature, attributes from different protocols are not allowed to serve as Conditions, except for TCP/IP/General Attributes.} -You can \textbf{Edit} or \textbf{Delete} your signature and reference one or multiple signatures when creating application object. +You can \textbf{Edit} or \textbf{Delete} your signature and reference one or multiple signatures when creating application object. +You can also import or export user-defined signatures in json format. + %\pdfbookmark[2]{Customized Attributes}{Customized Attributes} \subsection*{\hypertarget{link:Customized Attributes}{Customized Attributes}} @@ -305,8 +321,8 @@ The following is a basic example of how to create a customized attribute. You can \textbf{Edit} or \textbf{Delete} your customized attributes and download the Uploaded File. %\pdfbookmark[2]{Custom Application}{Custom Application} -\subsection*{\hypertarget{link:Custom Application}{Custom Application}} -\addcontentsline{toc}{subsection}{Custom Application} +\subsection*{\hypertarget{link:Application Customization}{Application Customization}} +\addcontentsline{toc}{subsection}{Application Customization} \label{sec:objects:application:customize} Applications allow you classify all traffic, across all ports, all the time. To ensure that your internal custom applications do not show up as unknown traffic, you can create a custom application. Then practice granular policy control over these applications to minimize the range of unidentified traffic on your network. @@ -374,6 +390,9 @@ The following is a basic example of how to create a custom application. \end{enumerate} \end{description} + +\notemark\textit{TSG enables you to import or export custom applications in batch with json format.} + %\pdfbookmark[2]{Application Selector}{Application Selector} \subsection*{\hypertarget{link:Application Selector}{Application Selector}} \addcontentsline{toc}{subsection}{Application Selector} diff --git a/content/Policies.tex b/content/Policies.tex index a283c15..60c9ae6 100644 --- a/content/Policies.tex +++ b/content/Policies.tex @@ -380,7 +380,7 @@ For more details about how TSG process packet flow, please see \textbf{\hyperlin %\pdfbookmark[3]{Voice over Internet Protocol}{Voice over Internet Protocol} \subsubsection*{\hypertarget{link:Voice over Internet Protocol}{Voice over Internet Protocol}} \addcontentsline{toc}{subsubsection}{Voice over Internet Protocol} -\label{sec:policies:security:intercept:option} +\label{sec:policies:security:filter:voip} Voice over Internet Protocol (VoIP) has become more and more popular as an alternative to the traditional public switched telephone network (PSTN). VoIP mainly uses RTP as its media protocol to deliver multimedia sessions and SIP for signaling. @@ -392,9 +392,20 @@ For now, TSG only supports the mentioned actions above with VoIP calls using SIP To view detailed description about VoIP log fields, see \textbf{Appendix C Log Fields Description} > \textbf{Log Fields per Protocol} > \textbf{\hyperlink{link:SIP}{\color{linkblue}{SIP}}} and \textbf{\hyperlink{link:RTP}{\color{linkblue}{RTP}}}. +\subsubsection*{\hypertarget{link:GPRS Tunnelling Protocol(GTP)}{GPRS Tunnelling Protocol(GTP)}} +\addcontentsline{toc}{subsubsection}{GPRS Tunnelling Protocol(GTP)} +\label{sec:policies:security:filter:gtp} + +GPRS Tunneling Protocol (GTP) allows mobile subscribers to use their phones to establish connections for network access on the move. +TSG supports GTP, which allows you to inspect, validate, filter, and perform security checks on GTPv2-C, GTPv1-C. + + +To view detailed description about GTP log fields, see \textbf{Appendix C Log Fields Description} > \textbf{Log Fields per Protocol} > \textbf{\hyperlink{link:GTP-C}{\color{linkblue}{GTP-C}}}. + %\pdfbookmark[2]{Allow Rules}{Allow Rules} \subsection*{\hypertarget{link:Allow Rules}{Allow Rules}} \addcontentsline{toc}{subsection}{Allow Rules} +\addtocontents{toc}{\protect\newpage} \label{sec:policies:security:allow} TSG allows the network traffic to pass through, without apply further policy checking. You can define traffic that you choose not to enforce policies because of business, @@ -472,7 +483,7 @@ For policies that match SSL Decryption Exclusion are evaluated before intercept %\pdfbookmark[3]{Intercept Trouble Shooting}{Intercept Trouble Shooting} \subsubsection*{\hypertarget{link:Intercept Trouble Shooting}{Intercept Trouble Shooting}} \addcontentsline{toc}{subsubsection}{Intercept Trouble Shooting} -\addtocontents{toc}{\protect\newpage} +%\addtocontents{toc}{\protect\newpage} \label{sec:policies:security:intercept:troubleshooting} You can find out if the interception is successful by checking if the certificates are issued by your pre-configured Root CA. @@ -638,10 +649,15 @@ For traffic that matches the attributes defined in a proxy policy, you can apply Deny & The Proxy terminate matched HTTP session with an error page. More information of uploading a html file, see \textbf{Proxy Profile} > \textbf{\hyperlink{link:Response Pages}{\color{linkblue}{Response Pages}}}.\\ \hline Monitor & The Proxy produce a log to record matched HTTP session information.\\\hline Redirect & The Proxy redirect matched HTTP session to a predefined URL. Since redirection - need to be performed before delivering response to client, condition of response body is not - applicable in this action. You MUST configure the redirect response via Response Code and Redirect - URL. The Destination URL should begin with a valid protocol (http:|https:). You SHOULD NOT select - 301 as Response Code unless you exactly know what you are doing. This action produces a log. \\ \hline + need to be performed before delivering response to client, condition of response body is not + applicable in this action. You MUST configure the redirect response via Response Code and Redirect + URL. The Destination URL should begin with a valid protocol (http:|https:). You SHOULD NOT select + 301 as Response Code unless you exactly know what you are doing. This action produces a log. + + + The Redirected URL can include Policy ID, Subscriber ID and/or Client IP. + For example, http://www.example.com/query?pageid=12345\&policy\_id=\\ + \{\{tsg\_policy\_id\}\}\&user\_id=\{\{tsg\_subscriber\_id\}\}\&source\_ip=\{\{tsg\_client\_ip\}\} \\\hline Replace & The Proxy Searches in a given HTTP part to Find a given string, and Replace any matches with another given string. If no match was found, the session remained untouched. For performance concerns, condition of request body and response body is not available in this action. For example, you can configure the Proxy to search in the response body of URL “www.example.com/index.html”, find every “string1” and replace with “string2”. This action produces a log. You can use regex to do replacement, e.g. case insensitive find “(?i)CaSEInSensitive(?-i)”. You can add multiple replacement. @@ -790,6 +806,109 @@ You can also import policies by clicking the import icon. Only json and txt form Select the checkbox for policies in the list and Click \textbf{Watch} at the bottom to add to Watch List. And then you can click the star icon in the bottom right and select Policy tab to view the Watch List. You can search policies by ID and Name in the list. +\section*{\hypertarget{link:WAN NAT}{WAN NAT}} +\addcontentsline{toc}{section}{WAN NAT} +\label{sec:policies:wannat} + +This section describes Network Address Translation (NAT) and how to configure TSG for NAT. + + +The WAN NAT feature can hide and change the traffic’s source and destination IP address. WAN NAT allows you to not disclose the real IP addresses of hosts that need access to public addresses. + + +When an internal real user visits an external service, the traffic will be steered to TSG. And the IP address will be included in TSG’s IP pool, when the real user is disconnected, WAN NAT can disguise as the real user and send request to the external service for its own purposes. Thus, WAN-NAT provides larger address space. It offers a very large IP Pool to help you use Web crawler to gain insight and guide Public Opinion. And WAN NAT can reduce the blocking for web crawler. You can use WAN NAT to create Web Crawler, perform Network scan, effect verification and provide virtual service. TSG supports both source address translation (SNAT) and destination address translation (DNAT). + + +For SNAT, the source address is translated and thereby kept private. It is used for Web Crawler, Network scan, effect verification. + + +DNAT is commonly used for virtual service. TSG translates a destination address to a different destination address; for example, if you have a controlled DNS server, you can direct traffic visiting google DNS to the controlled DNS server. + +\subsection*{\hypertarget{link:Source NAT}{Source NAT}} +\addcontentsline{toc}{subsection}{Source NAT} +\label{sec:policies:security:sourcenat} + +Source NAT(SNAT) is typically used by internal users to access the Internet; the source address is translated and thereby kept private. + + +Perform the following tasks to configure SNAT: + + +\begin{description} + \item[STEP 1.] Create an SNAT IP Pool object for the translated IP address you plan to use. + \begin{enumerate} + \item Select \textbf{Profiles} > \textbf{WAN NAT} > \textbf{SNAT IP Pool}, Click \textbf{Create}. + \item Add a \textbf{Name} for the IP Pool. + \item Specify a \textbf{Color}. + \item You can view \textbf{History Active IP} and select IP address from them. + \item Click \textbf{Reachability Test} to verify reachability of the IP address. It is recommended to use IP address which pass the test. + + + \notemark\textit{There are 4 results for reachability test. They are reachable, unreachable, unknown, N/A. If all the data packets sent by TSG are received by server, the result is reachable. If all is not received by the server, the result is unreachable. If only parts of the data packets are received by server, the result is unknown. If the server did not respond, the result is N/A.} + + + \item Add a \textbf{Description}. + \item Click \textbf{OK}. + \end{enumerate} + \item[STEP 2.] Create a VPN Account for the Original IP address. + \begin{enumerate} + \item Select \textbf{Profiles} > \textbf{WAN NAT} > \textbf{VPN Accounts}, Click \textbf{Create}. + \item Specify a \textbf{Color}. + \item Add a \textbf{VPN Name} and \textbf{Password}. + \item Click \textbf{OK}. + \end{enumerate} + \item[STEP 3.] Create the NAT policy. + \begin{enumerate} + \item Add a \textbf{Name}. + \item Select \textbf{SNAT} Action. + \item Select the \textbf{VPN Account} you just created. + \item Select the IP Pools you just created. + \item For \textbf{Change Source IP}, if you wish to only translate IP address once, select \textbf{Never}; if you wish to translate IP address by time, select \textbf{By Time} and enter how many seconds change each time; if you wish to translate IP address by connection, select \textbf{By Connections} and enter how many connections change each time. + \item Specify \textbf{Connection Timeout}. + \item Add a \textbf{Tag} and \textbf{Description}. + \item Verify it is \textbf{Enabled}. + \item Click \textbf{OK}. + \end{enumerate} + \item[STEP 4.] Verify the translation. Take packet capture from server which shows the Client IP changes. +\end{description} + +\subsection*{\hypertarget{link:Destination NAT}{Destination NAT}} +\addcontentsline{toc}{subsection}{Destination NAT} +\label{sec:policies:security:dnat} + +Destination NAT(DNAT) is performed on incoming packets when the firewall translates a destination address to a different destination address; for example, it translates a public destination address to a private destination address. Destination NAT also offers the option to perform port forwarding or port translation. + + +• Port Forwarding—Can translate a public destination address and port number to a private destination address but keeps the same port number. + + +• Port Translation—Can translate a public destination address and port number to a private destination address and a different port number, thus keeping the actual port number private. The port translation is configured by entering a Translate Port in the DNAT policy rule. + + +To translate the destination address for all packets on your TSG, as shown in the following procedure: + +\begin{description} + + \item[STEP 1.] Create a VPN Account for the Translated Packet. + \begin{enumerate} + \item Select \textbf{Profiles} > \textbf{WAN NAT} > \textbf{VPN Accounts}, Click \textbf{Create}. + \item Specify a \textbf{Color}. + \item Add a \textbf{VPN Name} and \textbf{Password}. + \item Click \textbf{OK}. + \end{enumerate} + \item[STEP 2.] Create the NAT policy. + \begin{enumerate} + \item Add a \textbf{Name}. + \item Select \textbf{DNAT} Action. + \item Select the \textbf{Source} and \textbf{Destination}. + \item Select the \textbf{VPN Account} you just created. + \item Specify the \textbf{Translate Port} or leave it set to default. + \item Add a \textbf{Tag} and \textbf{Description}. + \item Verify it is \textbf{Enabled}. + \item Click \textbf{OK}. + \end{enumerate} +\end{description} + %\pdfbookmark[1]{Schedules}{Schedules} \section*{\hypertarget{link:Schedules}{Schedules}} \addcontentsline{toc}{section}{Schedules} @@ -853,7 +972,7 @@ For example, a Proxy Policy has been defined with ID 4736, Name tsg-test-pxyveri \begin{description} \item[STEP 1.] \hyperlink{link:Logging into the Web Interface}{\color{linkblue}{Logging into the Web Interface}}. - \item[STEP 2.] Select \textbf{Settings} > \textbf{Trouble Shooting} and select \textbf{Policy Verify} tab to perform a policy match or connectivity test. + \item[STEP 2.] Select \textbf{System} > \textbf{Trouble Shooting} > \textbf{Policy Verify} to perform a policy match or connectivity test. \item[STEP 3.] Enter the required information to perform the policy match test. In this example, just run a \textbf{Proxy Policy Match}. \begin{enumerate} \item Select \textbf{Proxy Policy Match} from the Select Test drop-down. -- cgit v1.2.3