From 5b0b89aee45ab6542669c13e2ccaf3ffe4ba1dcd Mon Sep 17 00:00:00 2001 From: 蒋维 Date: Thu, 23 Sep 2021 16:45:10 +0800 Subject: 根据zc0921的批注进行了修订 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- Guide_Setup.tex | 4 +- TSG_Administrator's_Guide_Latest_EN.pdf | Bin 712606 -> 680458 bytes TSG_Administrator's_Guide_Latest_EN.tex | 15 +- content/Advanced_Setting.tex | 45 +++-- content/Appendix_Best_Practices.tex | 6 +- content/Appendix_Log_Fields_Description.tex | 165 ++++++++++-------- content/Appendix_Predefined_Reports.tex | 8 +- content/Appendix_TSG_Packet_Flow.tex | 73 +++++--- content/Decryption.tex | 234 +++++++++++++++---------- content/DoS Detection.tex | 32 +++- content/Getting_Started.tex | 116 ++++++------- content/Monitoring.tex | 133 ++++++++------ content/Objects.tex | 192 +++++++++++++------- content/Policies.tex | 261 ++++++++++++++++------------ 14 files changed, 768 insertions(+), 516 deletions(-) diff --git a/Guide_Setup.tex b/Guide_Setup.tex index 9b44ae1..670876d 100644 --- a/Guide_Setup.tex +++ b/Guide_Setup.tex @@ -14,8 +14,8 @@ \newcommand{\thesisTitle}{TSG Administrator’s Guide} \newcommand{\thesisName}{Geedge Team} \newcommand{\thesisSubject}{Documentation} -\newcommand{\thesisDate}{September 10, 2021} -\newcommand{\thesisVersion}{21.08} +\newcommand{\thesisDate}{September 23, 2021} +\newcommand{\thesisVersion}{21.09} %下面的新命令暂时没有用。 \newcommand{\thesisFirstReviewer}{Jane Doe} diff --git a/TSG_Administrator's_Guide_Latest_EN.pdf b/TSG_Administrator's_Guide_Latest_EN.pdf index d2560b4..45e4227 100644 Binary files a/TSG_Administrator's_Guide_Latest_EN.pdf and b/TSG_Administrator's_Guide_Latest_EN.pdf differ diff --git a/TSG_Administrator's_Guide_Latest_EN.tex b/TSG_Administrator's_Guide_Latest_EN.tex index bac101c..356b6a7 100644 --- a/TSG_Administrator's_Guide_Latest_EN.tex +++ b/TSG_Administrator's_Guide_Latest_EN.tex @@ -59,6 +59,9 @@ \input{content/titlepage} % INCLUDE: all titlepages \cleardoublepage +\pagestyle{empty} % no header or footers +\input{content/copypage} % INCLUDE: all titlepages +\cleardoublepage \begingroup % Local scope for the following commands %\addtocontents{toc}{\protect\newpage} @@ -116,12 +119,12 @@ %\part{Appendix Part} \input{content/Appendix_Built-in_Category} % INCLUDE: Appendix_A \cleardoublepage -\input{content/Appendix_Predefined_Applications} % INCLUDE: Appendix_B -\cleardoublepage +%\input{content/Appendix_Predefined_Applications} % INCLUDE: Appendix_B +%\cleardoublepage \input{content/Appendix_Log_Fields_Description} % INCLUDE: Appendix_C \cleardoublepage -%\input{content/Appendix_Predefined_Reports} % INCLUDE: Appendix_D -%\cleardoublepage +\input{content/Appendix_Predefined_Reports} % INCLUDE: Appendix_D +\cleardoublepage \input{content/Appendix_TSG_Packet_Flow} % INCLUDE: Appendix_E \cleardoublepage \input{content/Appendix_Best_Practices} % INCLUDE: Appendix_F @@ -151,9 +154,7 @@ % -------------------------- % Copy matter % -------------------------- -\pagestyle{empty} % no header or footers -\input{content/copypage} % INCLUDE: all titlepages -\cleardoublepage + % ************************************************** % End of Document CONTENT diff --git a/content/Advanced_Setting.tex b/content/Advanced_Setting.tex index 1ca2e1f..e511cf3 100644 --- a/content/Advanced_Setting.tex +++ b/content/Advanced_Setting.tex @@ -20,7 +20,11 @@ This section contains information about configuring TSG advanced features, inclu \addcontentsline{toc}{section}{Proxy TCP Options} \label{sec:setting:tcp} -TSG provides TCP default option which keeps the Enable TCP Passthrough and Bypass Duplicated Packet off. However, you can Create your own Proxy TCP Options for special situations. Under certain boundary conditions of network transmission, some network parameters need to be renegotiated during network transmission, such as MTU. The network equipment will renegotiate network parameters through some mechanisms, and the negotiation process may not under precise monitor of TSG. And it may affect related policies. In this case, the affected network parameters need to be preset through the PROXY TCP OPTION. +TSG provides TCP default option, which keeps the Enable TCP Passthrough and Bypass Duplicated Packet off. +However, you can create your Proxy TCP Options for special situations. Under certain boundary conditions of network transmission, +some network parameters need to be renegotiated, such as MTU. The network equipment will renegotiate network parameters through some mechanisms, +and the negotiation process may not be under the precise monitor of TSG. And it may affect related policies. +In this case, the affected network parameters need to be preset through the PROXY TCP OPTION. \begin{description} \item[STEP 1.] Select \textbf{Profiles} > \textbf{Proxy} > \textbf{Proxy TCP Options}, and click \textbf{Create}. @@ -33,14 +37,19 @@ TSG provides TCP default option which keeps the Enable TCP Passthrough and Bypas \end{enumerate} \item[STEP 3.] Enable Proxy TCP Options. \begin{enumerate} - \item (\textcolor{gold}{Optional})\textbf{Enable TCP Passthrough}. When enabled, traffic will bypass TSG proxy system but will not be decrypted. You can enable it, when troubleshooting. + \item (\textcolor{gold}{Optional})\textbf{Enable TCP Passthrough}. When enabled, traffic will bypass the TSG proxy system but will not be decrypted. + You can enable it when troubleshooting. \item (\textcolor{gold}{Optional})Enable \textbf{bypass Duplicated Packet}. - \item Specify Client-side Parameters and Server-side Parameters respectively. They have the same options. + \item Specify Client-side Parameters and Server-side Parameters, respectively. They have the same options. \begin{enumerate} \item (\textcolor{gold}{Optional})Enable \textbf{Override MSS}. The MSS range: 536-1460. \item (\textcolor{gold}{Optional})Enable \textbf{No Delay}. \item Specify \textbf{TTL}. The TTL range: 1-255. - \item (\textcolor{gold}{Optional})Enable \textbf{Keepalive}. Specify \textbf{Probe Number}, \textbf{Idle Time} and \textbf{Interval}. Probe Number is the maximum number of keepalive probes TCP should send before dropping the connection. Idle Time is the time (in seconds) the connection needs to remain idle before TCP starts sending keepalive probes, if the socket option SO\_KEEPALIVE has been set on this socket. Interval is the time (in seconds) between individual keepalive probes. These three options should not be used in code intended to be portable. + \item (\textcolor{gold}{Optional})Enable \textbf{Keepalive}. Specify \textbf{Probe Number}, \textbf{Idle Time}, and \textbf{Interval}. + Probe Number is the maximum number of keepalive probes TCP should send before dropping the connection. + Idle Time is the time (in seconds) the connection needs to remain idle before TCP starts sending keepalive probes + if the socket option SO\_KEEPALIVE has been set on this socket. Interval is the time (in seconds) between individual keepalive probes. + These three options should not be used in code intended to be portable. \item Define \textbf{User Timeout}. The User Timeout range: 200\-60000. \end{enumerate} \item Click \textbf{OK}. @@ -54,10 +63,14 @@ You can \textbf{Edit} or \textbf{Delete} your customized Proxy TCP Options. \addcontentsline{toc}{section}{System Usage} \label{sec:setting:usage} -System usage displays policy and object usage in bar chart and also shows storage usage of files, traffic logs, reports and metrics. Files are unstructured logs carried by session records and will store at least one month by default. Traffic Logs include all four types of logs and will also store at least one month by default. Reports and Metrics are the predefined or customized data aggregated based on multiple dimensions and will store at least one year by default. +System usage displays policy and object usage in bar chart and also shows storage usage of files, traffic logs, reports, and metrics. +Files are unstructured logs carried by session records and will store at least one month by default. +Traffic Logs include all four types of logs and will also store at least one month by default. +Reports and Metrics are the predefined or customized data aggregated based on multiple dimensions and will store at least one year by default. -TSG automatically deletes logs and reports that exceed the expiration period. When TSG reaches the storage quota, it automatically deletes older data. Deleting operates every day at 24:00. +TSG automatically deletes logs and reports that exceed the expiration period. When TSG reaches the storage quota, +it automatically deletes older data. Deleting operates every day at 24:00. You can estimate server storage space and configure storage parameters. For your convenience, provide the following formula to calculate your required server count. @@ -81,13 +94,16 @@ You can estimate server storage space and configure storage parameters. For your • Interval in seconds: 86400, Seconds of a day. -• Disk Safety Factor: it is normally 0.7. It means 70\% of the storage will be used for runtime data of TSG, including logs, files, reports and metrics. The others will occupy the remaining 30\%, such as OS, Raid5 and temporary data. +• Disk Safety Factor: it is normally 0.7. It means 70\% of the storage will be used for runtime data of TSG, including logs, files, reports, and metrics. +The others will occupy the remaining 30\%, such as OS, Raid5, and temporary data. -Following are some calculation for a typical scenario: +Following are some calculations for a typical scenario: -Suppose there is a data center which is configured to handle the traffic of mainstream website and applications by TSG. The log rate of session records is 2000/s; the log rate of event logs is 1500/s; the planed storage days is 30 for event logs with files, so does the storage of session records. The RF of event logs storage is set to 2 since event logs, which is raised by hit policies, require more attention. While the RF of session records is set to 1. +Suppose there is a data center that is configured to handle the traffic of mainstream websites and applications by TSG. The log rate of session records is 2000/s; +the log rate of event logs is 1500/s; the planed storage days is 30 for event logs with files, so does the storage of session records. +The RF of event logs storage is set to 2 since event logs, raised by hit policies, require more attention. At the same time, the RF of session records is set to 1. • Storage of session records: 2000*30*86400*1KB*0.4*1 = 1.93TB @@ -96,13 +112,16 @@ Suppose there is a data center which is configured to handle the traffic of main • Storage of event logs: 1500*30*86400*1KB*0.4*2 = 2.9TB -In this scenario, the storage space for Files is generally smaller than 150\% of storage of session records. The storage space for metrics, which is the data of calculation to set up Mainboard and Live Chart, is less than 100MB every day while the storage space required for reports depends on their complexity and quantity. +In this scenario, the storage space for Files is generally smaller than 150\% of the storage of session records. +The storage space for metrics, which is the data of calculation to set up Mainboard and Live Chart, +is less than 100MB every day, while the storage space required for reports depends on their complexity and quantity. To configure Storage Usage and expiration period: \begin{description} - \item[STEP 1.] Select \textbf{System} > \textbf{System Usage}. It displays Storage Usage percentage for Reports and Metrics, Files and Traffic Logs. You can view History Log Storage by time. + \item[STEP 1.] Select \textbf{System} > \textbf{System Usage}. It displays Storage Usage percentage for Reports and Metrics, Files, and Traffic Logs. + You can view History Log Storage by time. \warnmark\textit{Warning: Please take caution when performing STEP 2 and STEP 3, because this operation is not recoverable.} @@ -114,5 +133,5 @@ To configure Storage Usage and expiration period: \addcontentsline{toc}{section}{System Appearance} \label{sec:setting:appearance} -System appearance enables user to customize firewall’s logo, title and default language. -Go to \textbf{System} > \textbf{System Appearance} to upload your own logo, favicon, specify title, and select default language. \ No newline at end of file +System appearance enables the user to customize system logo, title and default language. +Go to \textbf{System} > \textbf{System Appearance} to upload your own logo, favicon, specify title, and select the default language. \ No newline at end of file diff --git a/content/Appendix_Best_Practices.tex b/content/Appendix_Best_Practices.tex index 128df89..4f8b619 100644 --- a/content/Appendix_Best_Practices.tex +++ b/content/Appendix_Best_Practices.tex @@ -1,8 +1,8 @@ % !TEX root = ../TSG_Administrator's_Guide_Latest_EN.tex % -%\pdfbookmark[0]{Appendix F Best Practices}{Appendix F Best Practices} -\chapter*{\hypertarget{link:Appendix F Best Practices}{Appendix F Best Practices}} -\addcontentsline{toc}{chapter}{Appendix F Best Practices} +%\pdfbookmark[0]{Appendix E Best Practices}{Appendix E Best Practices} +\chapter*{\hypertarget{link:Appendix E Best Practices}{Appendix E Best Practices}} +\addcontentsline{toc}{chapter}{Appendix E Best Practices} \label{sec:appendix_f} %\pdfbookmark[1]{Security Policy}{Appendix Security Policy} diff --git a/content/Appendix_Log_Fields_Description.tex b/content/Appendix_Log_Fields_Description.tex index 0f4be3f..592490a 100644 --- a/content/Appendix_Log_Fields_Description.tex +++ b/content/Appendix_Log_Fields_Description.tex @@ -1,8 +1,8 @@ % !TEX root = ../TSG_Administrator's_Guide_Latest_EN.tex % -%\pdfbookmark[0]{Appendix C Log Fields Description}{Appendix C Log Fields Description} -\chapter*{\hypertarget{link:Appendix C Log Fields Description}{Appendix C Log Fields Description}} -\addcontentsline{toc}{chapter}{Appendix C Log Fields Description} +%\pdfbookmark[0]{Appendix B Log Fields Description}{Appendix B Log Fields Description} +\chapter*{\hypertarget{link:Appendix B Log Fields Description}{Appendix B Log Fields Description}} +\addcontentsline{toc}{chapter}{Appendix B Log Fields Description} \label{sec:appendix_c} \notemark\textit{The column with * is the default display column after logging in to the system for the first time. Once the user has made the configuration, @@ -19,7 +19,7 @@ it will display columns that the user has previously configured. The fields with Security Events & All types \\\hline Proxy Events & Base, HTTP and DoH \\\hline Session Records & All types except Radius \\\hline - Radius Logs & Base and Radius \\\hline + Radius Records & Base and Radius \\\hline VoIP Records & Base, SIP and RTP \\ \hline GTP-C Records & Base and GTP-C \\ \hline \end{longtable} @@ -38,8 +38,7 @@ it will display columns that the user has previously configured. The fields with \item TCP SYN Flood, \item UDP Flood, \item ICMP Flood, - \item DNS Flood, - \item DNS Amplification. + \item DNS Flood. \end{itemize} \\\hline Severity & Critical @@ -70,99 +69,119 @@ it will display columns that the user has previously configured. The fields with \begin{longtable}{p{0.34\textwidth}|p{0.58\textwidth}} \rowcolor{black}\multicolumn{1}{l!\vlinewhite}{\textcolor{white}{Field}} & \textcolor{white}{Description} \\\hline - Log ID * & A log entry identifier incremented sequentially; each log has a unique number \\\hline - \textbf{Receive Time *} & Time the log was received \\\hline - \textbf{Subscriber ID *} & Identifier of RADIUS Accounting for Subscriber Access (if applicable) \\\hline - \textbf{Client IP *} & Original session client IP address. \\\hline - \textbf{Internal IP} & Internal region IP of the session (if applicable) \\\hline - Client Port & Client port utilized by the session \\\hline - L4 Protocol & Transport layer protocol associated with the session \\\hline - Address Type & IP protocol version associated with the session, 4 or 6 \\\hline - \textbf{Server IP *} & Original session server IP address \\\hline - \textbf{Server Port *} & Server port utilized by the session \\\hline - \textbf{External IP} & External region IP of the session (if applicable) \\\hline - \textbf{Action} & Action taken for the session; possible values are: - \begin{itemize} - \item Allow - session was allowed by policy. - \item Deny - session was denied by policy. - \item Monitor - session was allowed by policy and a log will be generated when matched. - \item Intercept - Intercept HTTP/HTTPS traffic for proxy. If the traffic use SSL/TSL, it will be decrypted. - \item Redirect - The Proxy redirect matched HTTP session to a predefined URL. - \item Replace - The Proxy Searches in a given HTTP part to Find a given string, and Replace any matches with another given string. - \item Hijack - The Proxy hijack a downloading file. - \item Insert - The Proxy insert a “js” or “css” scripts to webpages. - \end{itemize} - \\\hline - Direction & Indicates session client-to-server direction, possible values are: - - - Egress—Internal to External - - - Ingress—External to Internal + \multicolumn{2}{l}{\textbf{General}} \\\hline + Receive Time * & Time the log was received \\\hline + Log ID * & A log entry identifier is incremented sequentially; each log has a unique number \\\hline + Session ID & An internal numerical identifier applied to the session \\\hline + Direction & Indicates session client-to-server direction, + Internal to External or Ingress—External to Internal \\\hline + Stream Direction & Captured packet direction of the session, possible values are: c2s, s2c, double \\\hline + Start Time & Time of session start \\\hline + End Time & Time of session end \\\hline + Duration(ms) & The elapsed time of the session \\\hline + Establish Latency(ms) & Establish time of the session \\\hline + Processing Time & Processing time in the system \\\hline + Device ID & Unique identifier of devices on which the session was logged \\\hline + Data Center & Name of the data center on which the session was processed \\\hline + Sled IP & IP of the sled which the session was processed \\\hline + \multicolumn{2}{l}{\textbf{Action}} \\\hline + Action & Action taken for the session; possible values are: + \begin{itemize} + \item Allow - session was allowed by policy. + \item Deny - session was denied by policy. + \item Monitor - session was allowed by policy and a log will be generated when matched. + \item Intercept - Intercept HTTP/HTTPS traffic for proxy. If the traffic use SSL/TSL, it will be decrypted. + \item Redirect - The Proxy redirect matched HTTP session to a predefined URL. + \item Replace - The Proxy Searches in a given HTTP part to Find a given string, and Replace any matches with another given string. + \item Hijack - The Proxy hijack a downloading file. + \item Insert - The Proxy insert a “js” or “css” scripts to webpages. + \end{itemize} \\\hline - \textbf{Sled IP} & IP of sled which the session was processed \\\hline - Client Location & Geographic location the client IP\\\hline - Client ASN & BGP Autonomous system number the client IP\\\hline - \textbf{Server Location} & Geographic location the server IP\\\hline - Server ASN & BGP Autonomous system number the server IP\\\hline - Sessions & Number of sessions with same client IP, server IP, Application, seen within 5 seconds\\\hline - Packets Sent & Number of client-to-server packets for the session\\\hline - Packets Received & Number of server-to-client packets for the session\\\hline - Bytes Sent & Number of bytes in the client-to-server direction of the session\\\hline - Bytes Received & Number of bytes in the server-to-client direction of the session\\\hline - \textbf{Sub Action *} & Sub Action taken for action; possible values are: + Sub Action * & Sub Action taken for action; possible values are: - drop—session was dropped by deny action + drop—session was dropped by deny action - block—session was blocked by deny action + block—session was blocked by deny action - alert—session was alerted by deny action + alert—session was alerted by deny action - allow—session was allowed by intercept action + allow—session was allowed by intercept action - deny—session was denied by intercept action + deny—session was denied by intercept action - monitor—session was monitored by intercept action + monitor—session was monitored by intercept action - redirect—session was redirected by intercept action + redirect—session was redirected by intercept action - replace—session was replaced by intercept action + replace—session was replaced by intercept action - hijack—session was hijacked by intercept action + hijack—session was hijacked by intercept action - insert—session was inserted by intercept action \\\hline - Device ID & Unique identifier of devices on which the session was logged \\\hline - Data Center & Name of data center on which the session was logged \\\hline + insert—session was inserted by intercept action \\\hline + Policy ID & The matched policy ID \\\hline + \multicolumn{2}{l}{\textbf{Source}} \\\hline + Client IP & Original session client IP address. \\\hline + Internal IP & Internal region IP of the session (if applicable) \\\hline + Client Port & Client port utilized by the session \\\hline + Client Location & Geographic location the client IP \\\hline + Client ASN & BGP Autonomous system number the client IP \\\hline + Subscriber ID & Identifier of RADIUS Accounting for Subscriber Access (if applicable) \\\hline + IMEI & International Mobile Equipment Identity \\\hline + IMSI & International Mobile Subscriber Identity \\\hline + Phone Number & The user’s phone number \\\hline + \multicolumn{2}{l}{\textbf{Destination}} \\\hline + Server IP & Original session server IP address \\\hline + External IP & External region IP of the session (if applicable)\\\hline + Server Port & Server port utilized by the session\\\hline + Server Location & Geographic location the server IP\\\hline + Server ASN & BGP Autonomous system number the server IP\\\hline + \multicolumn{2}{l}{\textbf{Application}} \\\hline + User Define APP Name & Customized App name \\\hline Application Label & Application label associated with the session \\\hline - Protocol Label & Protocol associated with the session \\\hline + Surrogate ID & App surrogate ID \\\hline L7 Protocol & Layer 7 Protocol associated with the session \\\hline - Start Time & Time of session start \\\hline - End Time & Time of session end \\\hline - Establish Latency & Establish time of the session \\\hline - Duration(ms) & Elapsed time of the session \\\hline - Stream Direction & Captured packet direction of the session, possible values are: c2s, s2c, double \\\hline - Session ID & An internal numerical identifier applied of the session \\\hline - Fragmentation Packets(c2s) & Number of IP fragment packets in client-to-server direction of the session \\\hline - Fragmentation Packets(s2c) & Number of IP fragment packets in server-to-client direction of the session \\\hline + Protocol Label & Protocol associated with the session \\\hline + FQDN Category & Service category \\\hline + L4 Protocol & Transport layer protocol associated with the session \\\hline + \multicolumn{2}{l}{\textbf{Transmission}} \\\hline + Sessions & Number of sessions with same client IP, server IP, Application, seen within 5 seconds\\\hline + Packets Sent & Number of client-to-server packets for the session\\\hline + Packets Received & Number of server-to-client packets for the session\\\hline + Packets Sent (Diff) & Diff number of client-to-server packets for the session\\\hline + Packets Received (Diff) & Diff number of server-to-client packets for the session\\\hline + Bytes Sent & Number of bytes in the client-to-server direction of the session\\\hline + Bytes Received & Number of bytes in the server-to-client direction of the session\\\hline + Bytes Sent (Diff) & Diff number of bytes in the client-to-server direction of the session\\\hline + Bytes Received (Diff) & Diff number of bytes in the server-to-client direction of the session\\\hline + Fragmentation Packets(c2s) & Number of IP fragment packets in client-to-server direction of the session\\\hline + Fragmentation Packets(s2c) & Number of IP fragment packets in server-to-client direction of the session\\\hline Sequence Gap Loss(c2s) & Number of TCP gap loss packets in client-to-server direction of the session \\\hline Sequence Gap Loss(s2c) & Number of TCP gap loss packets in server-to-client direction of the session \\\hline - Unorder Packets(c2s) & Number of TCP out of order packets in client-to-server direction of the session \\\hline + Unorder Packets(cs2) & Number of TCP out of order packets in client-to-server direction of the session \\\hline Unorder Packets(s2c) & Number of TCP out of order packets in server-to-client direction of the session \\\hline - TCP Client ISN & TCP uses a three-way handshake to establish a reliable connection. The connection is full duplex, and both sides synchronize (SYN) and acknowledge (ACK) each other. - The client chooses an initial sequence number, set in the first SYN packet. Initial sequence numbers (ISN) refers to the unique 32-bit sequence number assigned to each new connection - on a TCP-based data communication. An ISN is unique to each connection and separated by each device. Now use a random number in ISN selection process to defeat malicious attacks. \\\hline - TCP Server ISN & The server also chooses its own initial sequence number, set in the SYN/ACK packet. Each side acknowledges each other's sequence number by incrementing it. \\\hline + Packet Retransmission(c2s) & Number of TCP retransmission packets in client-to-server direction of the session\\\hline + Packet Retransmission(s2c) & Number of TCP retransmission packets in server-to-client direction of the session\\\hline + Byte Retransmission(c2s) & Number of TCP retransmission bytes in client-to-server direction of the session \\\hline + Byte Retransmission(s2c) & Number of TCP retransmission bytes in server-to-client direction of the session \\\hline + TCP Client ISN & TCP uses a three-way handshake to establish a reliable connection. The connection is full duplex, and both sides synchronize (SYN) and acknowledge (ACK) each other. The client chooses an initial sequence number, set in the first SYN packet. Initial sequence numbers (ISN) refers to the unique 32-bit sequence number assigned to each new connection on a TCP-based data communication. An ISN is unique to each connection and separated by each device. Now use a random number in ISN selection process to defeat malicious attacks.\\\hline + TCP Server ISN & The server also chooses its own initial sequence number, set in the SYN/ACK packet. Each side acknowledges each other's sequence number by incrementing it.\\\hline + Mirrored Packets & Number of mirrored packets \\\hline + Mirrored Bytes & Number of mirrored bytes\\\hline + \multicolumn{2}{l}{\textbf{Other}} \\\hline + Address Type & IP protocol version associated with the session, 4 or 6 \\\hline + Schema Type & Protocol type: BASE, HTTP, MAIL, DNS, SSL, FTP, BGP, VoIP, RADIUS, QUIC, DoH, SIP, RTP, APP, GTP-C \\\hline + Tunnels & Information of tunnel \\\hline + Stream Error & Error information of stream\\\hline \end{longtable} %\pdfbookmark[1]{Log Fields per Protocol}{Log Fields per Protocol} diff --git a/content/Appendix_Predefined_Reports.tex b/content/Appendix_Predefined_Reports.tex index 18b11d3..06fc4f9 100644 --- a/content/Appendix_Predefined_Reports.tex +++ b/content/Appendix_Predefined_Reports.tex @@ -1,8 +1,8 @@ % !TEX root = ../TSG_Administrator's_Guide_Latest_EN.tex % -%\pdfbookmark[0]{Appendix D Predefined Reports}{Appendix D Predefined Reports} -\chapter*{\hypertarget{link:Appendix D Predefined Reports}{Appendix D Predefined Reports}} -\addcontentsline{toc}{chapter}{Appendix D Predefined Reports} +%\pdfbookmark[0]{Appendix C Predefined Reports}{Appendix C Predefined Reports} +\chapter*{\hypertarget{link:Appendix C Predefined Reports}{Appendix C Predefined Reports}} +\addcontentsline{toc}{chapter}{Appendix C Predefined Reports} \label{sec:appendix_d} %\pdfbookmark[1]{Predefined Reports}{Predefined Reports} @@ -177,7 +177,7 @@ Top 30 Destinations by Sessions Traffic-Top-Destination-Domain-by-Sessions & table \\\hline Top 30 Destination Regions by Bandwidth Traffic-Top-Destination-Region-by-Bandwidth-and-Sessions & table \\\hline Top 30 Destination Transmission APP by Bandwidth Traffic-Top-Destination-Transmission-APP-by-Bandwidth & table \\\hline - Top 30 Website Domains by Bandwidth Traffic-Top-Website-Domain-by-Bandwidth & table \\\hline + Top 30 Website Domains by Bandwidth Traffic-Top-Website-Domain-by-Bandwidth & table \\\hline Top 20 Website Domains Bandwidth Distribution Traffic-Top-Website-Domain-by-Bandwidth & bar \\\hline Top 100 Website Domains by Bandwidth Traffic-Top-Website-Domain-by-Bandwidth & table \\\hline Top 20 Website Domains Sessions Distribution Traffic-Top-Website-Domain-by-Sessions & bar \\\hline diff --git a/content/Appendix_TSG_Packet_Flow.tex b/content/Appendix_TSG_Packet_Flow.tex index 14526e8..cc44443 100644 --- a/content/Appendix_TSG_Packet_Flow.tex +++ b/content/Appendix_TSG_Packet_Flow.tex @@ -1,8 +1,8 @@ % !TEX root = ../TSG_Administrator's_Guide_Latest_EN.tex % -%\pdfbookmark[0]{Appendix E TSG Packet Flow}{Appendix E TSG Packet Flow} -\chapter*{\hypertarget{link:Appendix E TSG Packet Flow}{Appendix E TSG Packet Flow}} -\addcontentsline{toc}{chapter}{Appendix E TSG Packet Flow} +%\pdfbookmark[0]{Appendix D TSG Packet Flow}{Appendix D TSG Packet Flow} +\chapter*{\hypertarget{link:Appendix D TSG Packet Flow}{Appendix D TSG Packet Flow}} +\addcontentsline{toc}{chapter}{Appendix D TSG Packet Flow} \label{sec:appendix_e} %\pdfbookmark[1]{Overview}{Overview} @@ -13,7 +13,10 @@ This document describes the packet handling sequence in TSG. TSG Firewall performs stateful checks, TSG proxy performs decryption. -The Ingress stage, session stage and egress stage are the three stages of TSG traffic processing. The ingress and egress stages handle network functions and make packet forwarding decisions on a per-packet basis. The remaining stages are session-based security functions such as application identification and content inspection. TSG does not change the operation of the MPLS, 802.1Q, IPv4, IPv6 protocols regardless of the configured policies. +The Ingress stage, session stage, and egress stage are the three stages of TSG traffic processing. +The ingress and egress stages handle network functions and make packet forwarding decisions on a per-packet basis. +The remaining stages are session-based security functions such as application identification and content inspection. +TSG does not change the operation of the MPLS, 802.1Q, IPv4, IPv6 protocols regardless of the configured policies. %\begin{figure}[htb] %\includegraphics[width=\textwidth]{images/pakcet_life_2020} @@ -37,14 +40,17 @@ The Ingress stage, session stage and egress stage are the three stages of TSG tr \addcontentsline{toc}{subsection}{Ingress Stage} \label{sec:appendix_e:sequence:ingress} -The ingress stage receives packets from the network interface, parses those packets, and then determines whether a given packet is subject to further inspection. If the packet is subject to further inspection, the system continues with a session lookup and the packet enters the session stage. Otherwise, the system forwards the packet to the egress stage. +The ingress stage receives packets from the network interface, parses those packets, and then determines whether a given packet is subject to further inspection. +If the packet is subject to further inspection, the system continues with a session lookup, and the packet enters the session stage. +Otherwise, the system forwards the packet to the egress stage. %\pdfbookmark[3]{Layer 2 Decode}{Layer 2 Decode} \subsubsection*{\hypertarget{link:Layer 2 Decode}{Layer 2 Decode}} \addcontentsline{toc}{subsubsection}{Layer 2 Decode} \label{sec:appendix_e:sequence:ingress:decode} -Packet parsing starts with the Ethernet (Layer-2) header of the packet received from the wire. VLAN, MPLS, MAC\_IN\_MAC headers are parsed here. The ingress port, 802.1q tag, and destination MAC address are used as keys to lookup the ingress logical interface. +Packet parsing starts with the Ethernet (Layer-2) header of the packet received from the wire. VLAN, MPLS, MAC\_IN\_MAC headers are parsed here. +The ingress port, 802.1q tag, and destination MAC address are used as keys to lookup the logical ingress interface. %\pdfbookmark[3]{Tunnel Decapsulation}{Tunnel Decapsulation} \subsubsection*{\hypertarget{link:Tunnel Decapsulation}{Tunnel Decapsulation}} @@ -58,7 +64,9 @@ If the packet has PPPOE, IPIP, GRE, PPTP, L2TP, Teredo, GTP encapsulations, they \addcontentsline{toc}{subsubsection}{IP Defragmentation} \label{sec:appendix_e:sequence:ingress:defragmentation} -After the IP header is parsed (Layer-3), the TSG parses IP fragments, reassembles using the defragmentation process, and then feeds the packet back to the parser starting with the IP header. At this stage, a fragment may be discarded due to tear-drop attack (overlapping fragments), fragmentation errors, or if the TSG hits system limits on buffered fragments (hits the max packet threshold). +After parsing the IP header (Layer-3), the TSG parses IP fragments, reassembles using the defragmentation process, and then feeds the packet back to the parser starting with the IP header.  +A fragment may be discarded at this stage due to tear-drop attack (overlapping fragments), fragmentation errors, or if the TSG hits system limits on buffered fragments +(hits the max packet threshold). %\pdfbookmark[2]{Session Setup}{Session Setup} \subsection*{\hypertarget{link:Session Setup}{Session Setup}} @@ -77,10 +85,13 @@ If the packet is subject to firewall inspection, it performs a flow lookup on th • Protocol: The IP protocol number from the IP header is used to derive the flow key. -The firewall stores active flows in the flow lookup table. When a packet is determined to be eligible for firewall inspection, the firewall extracts the 5-tuple flow key from the packet and then performs a flow lookup to match the packet with an existing flow. Each flow has a client and server component. For TCP, the client is the sender of the TCP SYN packet of the session from firewall’s perspective. For UDP, the client is the sender with smaller Port number. The server is the receiver of this first packet. +The firewall stores active flows in the flow table. When a packet is determined to be eligible for firewall inspection, +the firewall extracts the 5-tuple flow key from the packet and then performs a flow lookup to match the packet with an existing flow. +Each flow has a client and server component. For TCP, the client is the sender of the TCP SYN packet of the session from the firewall’s perspective. +For UDP, the client is the sender with a smaller Port number. The server is the receiver of this first packet. -If the packet belongs to on new session, firewall performs a session setup. +If the packet belongs to on new session, the firewall performs a session setup. The firewall uses the IP address of the packet to query mapping tables. @@ -95,7 +106,7 @@ The firewall uses the IP address of the packet to query mapping tables. • Geo-IP mapping table: The geographical location is fetched. -There is a chance that above information is not available at this point. In that case, policies with these conditions cannot be enforced. +There is a chance that the above information is not available at this point. In that case, policies with these conditions cannot be enforced. %\pdfbookmark[2]{Session Maintenance}{Session Maintenance} \subsection*{\hypertarget{link:Session Maintenance}{Session Maintenance}} @@ -105,19 +116,25 @@ There is a chance that above information is not available at this point. In that A packet that matches an existing session will enter the session maintenance stages. This stage starts with Layer 2 to Layer 4 firewall processing: -• If the session is in close wait state, then the firewall discards the packet by forwarding to egress stage. +• If the session is in a close wait state, the firewall discards the packet by forwarding to the egress stage. • If the session is active, refresh session timeout. -• If the packet is a TCP FIN/RST, the session TCP half closed timer is started if this is the first FIN packet received (half closed session) or the TCP Time Wait timer is started if this is the second FIN packet or RST packet. The session is closed as soon as either of these timers expire. +• If the packet is a TCP FIN/RST, the session TCP half-closed timer is started if this is the first FIN packet received (half-closed session) +or the TCP Time Wait timer is started if this is the second FIN packet or RST packet. The session is closed as soon as either of these timers expires. -If an application uses TCP as the transport, the firewall processes it by the TCP reassembly module before it sends the data stream into the security-processing module. The TCP reassembly module will also perform window check, buffer out-of-order data while skipping TCP retransmission. The firewall drops the packets if there is a reassembly error or if it receives too many out-of-order fragments, resulting in the reassembly buffers filling up. +If an application uses TCP as the transport, the firewall processes it by the TCP reassembly module before sending the data stream into the security-processing module. +The TCP reassembly module will also perform window check, buffer out-of-order data while skipping TCP retransmission. +The firewall drops the packets if there is a reassembly error or if it receives too many out-of-order fragments, resulting in the reassembly buffers filling up. -A packet matching an existing session is subject to further processing if packet has TCP/UDP data (payload). If the firewall does not detect the session application, it performs application identification. If the identification is non-conclusive, the content inspection module runs known protocol decoder checks and heuristics to help identify the application. The application identification result could change throughout the life of the session. Once a traffic attribute is parsed, it’s subject to security policy enforcement. +A packet matching an existing session is subject to further processing if a packet has TCP/UDP data (payload). +If the firewall does not detect the session application, it performs application identification. +If the identification is non-conclusive, the content inspection module runs known protocol decoder checks and heuristics to help identify the application. +The application identification result could change throughout the life of the session. Once a traffic attribute is parsed, it’s subject to security policy enforcement. %\pdfbookmark[2]{Firewall Process}{Firewall Process} \subsection*{\hypertarget{link:Firewall Process}{Firewall Process}} @@ -136,27 +153,33 @@ The firewall decodes Layer 7 protocols such as HTTP, SSL/TLS and DNS, to get tra \addcontentsline{toc}{subsubsection}{Application Identification} \label{sec:appendix_e:sequence:firewall:identification} -The firewall identifies application with built-in and customized signature. The firewall uses protocol decoding in the content inspection stage to determine if an application changes from one application to another. After the firewall identifies the session application, security policy will be enforced as configured. +The firewall identifies applications with built-in and customized signatures. The firewall uses protocol decoding in the content inspection stage to determine +if an application changes from one application to another. After the firewall identifies the session application, the security policy will be enforced as configured. %\pdfbookmark[3]{Content Decode}{Content Decode} \subsubsection*{\hypertarget{link:Content Decode}{Content Decode}} \addcontentsline{toc}{subsubsection}{Content Decode} \label{sec:appendix_e:sequence:firewall:contentdecode} -The firewall decodes the flow and parses attributes and content, then scan them for keywords, e.g., email attachments that are text-based. If it results in keywords detection, then the corresponding security policy action is taken. Application identification is still on at this stage, as the more traffic attributes are parsed, application identification result may be changed. +The firewall decodes the flow, parses attributes and content, and then scans them for keywords, e.g., text-based email attachments. +If it results in keywords detection, then the corresponding security policy action is taken. +Application identification is still on at this stage; as more traffic attributes are parsed, the application identification result may be changed. %\pdfbookmark[3]{Security Policy Lookup}{Security Policy Lookup} \subsubsection*{\hypertarget{link:Security Policy Lookup}{Security Policy Lookup}} \addcontentsline{toc}{subsubsection}{Security Policy Lookup} \label{sec:appendix_e:sequence:firewall:lookup} -The firewall uses application ANY, IP, port, Geographic and Subscriber ID to perform the lookup and check for a rule match. In case of a rule match, if the policy action is set to ‘deny’, the firewall drops the packet. +The firewall uses application ANY, IP, port, Geographic and Subscriber ID to perform the lookup and check for a rule match. +In case of a rule match, if the policy action is set to ‘deny’, the firewall drops the packet. -If security policy action is set to intercept and the application is SSL or HTTP, the firewall sends session packets to Proxy to perform decryption. +If security policy action is set to intercept and the application is SSL or HTTP, the firewall sends session packets to Proxy to decrypt. -After more packet transferred, identified application as well as FQDN, URL and applicable protocol fields in the session are used as key to find rule match. If the session matches a security rule, and the rule has logging enabled, the firewall generates a security event log at the session end. +After more packets are transferred, identified application and FQDN, URL, and applicable protocol fields in the session are used as a key to find rule match. +If the session matches a security rule and has logging enabled, the firewall generates a security event log at the session end. + %\pdfbookmark[2]{Proxy Process}{Proxy Process} \subsection*{\hypertarget{link:Proxy Process}{Proxy Process}} @@ -180,17 +203,19 @@ The proxy fixes this problem by following two mechanisms: • Duplicate packet identification: For TSG sent packets, TSG adds its 4-tuple, IPID, acknowledge number, sequence number and timestamp (if applicable) to the Bloom filter. For received packet, TSG will query the Bloom filter with the aforementioned protocol fields. If a packet is considered duplicate, it will be bypassed, if not, it will be delivered to TCP stack. -• Duplicate flow detection: Since not all traffic flows have duplicate packets, do duplicate identification on each packet is a waste of CPU and memory, moreover, it induces performance overhead. Hence, only the TCP flows with duplicate SYN or SYN/ACK packet will conduct duplicate packet identification. +• Duplicate flow detection: Since not all traffic flows have duplicate packets, do duplicate identification on each packet is a waste of CPU and memory. +Moreover, it induces performance overhead. Hence, only the TCP flows with duplicate SYN or SYN/ACK packet will conduct duplicate packet identification. %\pdfbookmark[3]{TCP Stack}{TCP Stack} \subsubsection*{\hypertarget{link:TCP Stack}{TCP Stack}} \addcontentsline{toc}{subsubsection}{TCP Stack} \label{sec:appendix_e:sequence:proxy:TCP} -Opening a TCP connection involves a three-way handshake packets: the client contacts the server, the server acknowledges the client, and the client acknowledges the server. -The proxy’s TCP stack attempts to connect server-side immediately after receiving the client’s initial connection request, but waits to return the server acknowledgement until determining whether or not the server-side connection succeeds. -The TCP stack act as transparent proxy and keep the same TCP connection source and destination IP and ports. -This provides greater transparency, as the client receives either an RST or no response, which mirrors what is sent from a server when connections fail. +Opening a TCP connection involves a three-way handshake: the client contacts the server, the server acknowledges the client, and the client acknowledges the server. +The proxy’s TCP stack attempts to connect server-side immediately after receiving the client’s initial connection request, +but waits to return the server acknowledgment until determining whether or not the server-side connection succeeds. +The TCP stack act as a transparent proxy and keep the same TCP connection source and destination IP and ports. +This provides greater transparency, as the client receives either an RST or no response, which mirrors what is sent from a server when connections fail. %\pdfbookmark[3]{Build SSL Session}{Build SSL Session} \subsubsection*{\hypertarget{link:Build SSL Session}{Build SSL Session}} diff --git a/content/Decryption.tex b/content/Decryption.tex index c77577a..1567abb 100644 --- a/content/Decryption.tex +++ b/content/Decryption.tex @@ -5,12 +5,14 @@ \addcontentsline{toc}{chapter}{Decryption} \label{sec:decrypt} -Except firewall, TSG has a proxy which utilizes MITM (Man-in-the-middle) technologies and enables you to perform layer 4-7 advanced manipulation of network traffic. -The Proxy is deployed in transparent mode; thus, no proxy settings on browser side. The proxy can decrypt and inspect traffic to control protocols and certificate verification. -The proxy handles encrypted traffic according to your configured security settings. Traffic will be reconstructed according to the TCP/IP protocol stack with the original headers -(source IP, source Port, destination IP, destination Port, Protocol, etc.) and decrypted payload. Decryption prevents malicious encrypted content from entering your network -and sensitive content from leaving your network concealed as encrypted traffic. -Enabling decryption need preparing the keys and certificates required, creating decryption profiles and configuring traffic mirror profile. +TSG has a proxy that utilizes MITM (Man-in-the-middle) technologies and enables you to perform layer 4-7 advanced manipulation of network traffic. +The Proxy is deployed in transparent mode; thus, no proxy settings on the browser side. +The proxy can decrypt and inspect traffic to control protocols and certificate verification. +The proxy handles encrypted traffic according to your configured security settings. +Traffic will be reassembled according to the TCP/IP protocol stack with the original headers +(source IP, source Port, destination IP, destination Port, Protocol, etc.) and decrypted payload. +Decryption prevents malicious encrypted content from entering your network and sensitive content from leaving your network concealed as encrypted traffic. +Enabling decryption needs preparing the keys and certificates required, creating decryption profiles, and configuring traffic mirror profiles. { \color{linkblue} @@ -26,16 +28,21 @@ Enabling decryption need preparing the keys and certificates required, creating \addcontentsline{toc}{section}{Decryption Concepts} \label{sec:decrypt:concept} -The Secure Sockets Layer (SSL) and Transport Layer Security (TLS) encryption protocols secure traffic between two entities, such as a web server and a client. Without special instructions, SSL in this document refers to SSL/TLS. SSL encapsulate traffic, encrypting data so that it is meaningless to entities other than the client and server with the certificates to affirm trust between the devices and the keys to decode the data. +The Secure Sockets Layer (SSL) and Transport Layer Security (TLS) encryption protocols secure traffic between two entities, such as a web server and a client. +Without special instructions, SSL in this document refers to SSL/TLS. SSL encapsulates traffic, encrypting data so that it is meaningless to +entities other than the client and server with the certificates to affirm trust between the devices and the keys to decode the data. -The proxy uses certificates and keys to decrypt traffic to plaintext, and then enforces security settings on the plaintext traffic. After decrypting and inspecting traffic, the proxy re-encrypts the plaintext traffic as it exits the proxy to ensure privacy and security. +The proxy uses certificates and keys to decrypt traffic to plaintext and then enforces security settings on the plaintext traffic. +After decrypting and inspecting traffic, the proxy re-encrypts the plaintext traffic as it exits the proxy to ensure privacy and security. -SSL decryption requires certificates to establish the proxy as a trusted third party, and to establish trust between a client and a server to secure an SSL/TLS connection. You can also use certificates when excluding servers from SSL decryption for technical reasons (the site breaks decryption for reasons such as certificate pinning, unsupported ciphers, or mutual authentication). +SSL decryption requires certificates to establish the proxy as a trusted third-party, and establish trust between a client and a server to secure an SSL/TLS connection. +You can also use certificates when excluding servers from SSL decryption for technical reasons +(the site breaks decryption for reasons such as certificate pinning, unsupported ciphers, or mutual authentication). -You can integrate a hardware security module (HSM) with TSG to enable enhanced security for the private keys. +You can integrate a hardware security module (HSM) with TSG to enhance private keys security. To learn more about integrating an HSM, see \hyperlink{link:Manage Keys with a Hardware Security Module}{\color{linkblue}{Manage Keys with a Hardware Security Module}}. %\pdfbookmark[1]{Keys and Certificates}{Keys and Certificates} @@ -43,7 +50,8 @@ To learn more about integrating an HSM, see \hyperlink{link:Manage Keys with a H \addcontentsline{toc}{section}{Keys and Certificates} \label{sec:decrypt:keys} -Keys are strings of numbers typically generated using a mathematical operation involving random numbers and large primes. Keys transform strings—such as passwords and shared secrets—from unencrypted plaintext to encrypted ciphertext and from encrypted ciphertext to unencrypted plaintext. Keys can be symmetric (the same key is used to encrypt and decrypt) or asymmetric (one key is used for encryption and a mathematically related key is used for decryption). Any system can generate a key. +Keys are strings of numbers typically generated using a mathematical operation involving random numbers and large primes. +Keys transform strings—such as passwords and shared secrets—from unencrypted plaintext to encrypted ciphertext and from encrypted ciphertext to unencrypted plaintext. X.509 certificates establish trust between a client and a server to establish an SSL connection. A client attempting to authenticate a server (or a server authenticating a client) knows the structure of the X.509 certificate and therefore knows how to extract identifying information about the server from fields within the certificate, such as the FQDN or IP address (called a common name or CN within the certificate) or the name of the organization, or user to which the certificate was issued. A certificate authority (CA) must issue all certificates. After the CA verifies a client or server, the CA issues the certificate and signs it with a private key. @@ -64,14 +72,19 @@ For detailed information on certificates, see \hyperlink{link:Certificate Manage \addcontentsline{toc}{section}{Certificate Managements} \label{sec:decrypt:certificate} -The digital certificates are used to ensure trust between parties in a secure communication session. Each certificate contains a cryptographic key to encrypt plaintext or decrypt ciphertext. Each certificate also includes a digital signature to authenticate the identity of the issuer. The issuer must be in the list of trusted certificate authorities (CAs) of the authenticating party. +The digital certificates are used to ensure trust between parties in a secure communication session. +Each certificate contains a cryptographic key to encrypt plaintext or decrypt ciphertext. +Each certificate also includes a digital signature to authenticate the identity of the issuer. +The issuer must be on the list of trusted certificate authorities (CAs) of the authenticating party. %\pdfbookmark[2]{Trusted Certificate Authorities}{Trusted Certificate Authorities} \subsection*{\hypertarget{link:Trusted Certificate Authorities}{Trusted Certificate Authorities}} \addcontentsline{toc}{subsection}{Trusted Certificate Authorities} \label{sec:decrypt:certificate:trusted} -TSG trusts the most common and trusted authorities (CAs) by default. These trusted certificate providers are responsible for issuing the certificates TSG requires to secure connections to the internet. The additional CAs you might want to add are trusted enterprise CAs that your organization requires. You can perform the following to import a certificate: +TSG trusts the most common and trusted authorities (CAs) by default. These trusted certificate providers are responsible for issuing the certificates +TSG requires to secure connections to the internet. The additional CAs you might want to add are trusted enterprise CAs that your organization requires. +You can perform the following to import a certificate: \begin{description} \item[STEP 1.] Select \textbf{Profiles} > \textbf{Decryption} and select \textbf{Trusted Certificate Authorities} tab, Click \textbf{Import}. @@ -80,25 +93,31 @@ TSG trusts the most common and trusted authorities (CAs) by default. These trust \item[STEP 4.] Click \textbf{OK}. \end{description} -Go back to Trusted Certificate Authorities tab, you can view detailed information about the CA you just created. +Go back to Trusted Certificate Authorities tab. You can view detailed information about the CA you just created. To edit and delete CAs, find the item you want to edit or delete in the list. Click \textbf{Edit} or \textbf{Delete} at the top left. The system will periodically check whether the CA certificate has expired. If the CA certificate expires, the system will automatically set the status of the CA certificate to disable. -To download it, you can click the cloud icon under \textbf{File}, and wait a few seconds for the file to be downloaded to your local folder. -You can search CAs based on ID, Name, Issuer, Common Name and Certificate Fingerprint, or the combination. Enter search conditions in search bar and click search icon. +To download it, you can click the cloud icon under \textbf{File}, and and wait a few seconds to download the file to your local folder. +You can search CAs based on ID, Name, Issuer, Common Name, Certificate Fingerprint, or their combination. Enter search conditions in the search bar and click the search icon. %\pdfbookmark[2]{Decryption Keyrings}{Decryption Keyrings} \subsection*{\hypertarget{link:Decryption Keyrings}{Decryption Keyrings}} \addcontentsline{toc}{subsection}{Decryption Keyrings} \label{sec:decrypt:certificate:keyring} -If your enterprise has its own public key infrastructure (PKI), you can import a certificate and private key into TSG from your enterprise certificate authority (CA). Enterprise CA certificates (unlike most certificates purchased from a trusted, third-party CA) can automatically issue CA certificates for applications such as SSL/TLS decryption. +If your enterprise has its own public key infrastructure (PKI), you can import a certificate and private key into TSG from your enterprise certificate authority (CA). +Enterprise CA certificates (unlike most certificates purchased from a trusted, third-party CA) can automatically issue CA certificates for applications such as SSL/TLS decryption. -Note that the built-in certificate with ID 1(\#1) means trusted certificate, and built-in certificate with ID 0(\#0) means untrusted certificate. You can add trusted certificate to TSG with two methods. One is local management with TSG interface through the following procedure; the other is integrate an external HSM device, the certificate will be saved to the HSM for specified website. For more details about HSM, see Manage Keys with a Hardware Security Module. +Note that the built-in certificate with ID 1(\#1) means the default certificate for tursted servers, +and built-in certificate with ID 0(\#0) means default certificate for untrusted servers. +You can add decryption keyring to TSG with two methods. One is local management with TSG interface through the following procedure; +the other is to integrate an external HSM device, the certificate will be saved to the HSM for the specified website. +For more details about HSM, see Manage Keys with a Hardware Security Module. -\notemark\textit{If the HSM is down, the firewall can process decryption for sites of HSM mode for which it has cached the response from the HSM, meanwhile the firewall will deploy default certificates (\#0 or \#1) for those un-cached sites of HSM mode.} +\notemark\textit{If the HSM is down, the firewall can process decryption for sites of HSM mode for which it has cached the response from the HSM. +Meanwhile the firewall will deploy default certificates (\#0 or \#1) for those un-cached sites of HSM mode.} You can perform the following to Import a Certificate and Private Key: @@ -106,27 +125,29 @@ You can perform the following to Import a Certificate and Private Key: \begin{description} \item[STEP 1.] Select \textbf{Profiles} > \textbf{Decryption} > \textbf{SSL Decryption Keyrings}, Click \textbf{Create} \item[STEP 2.] Add a \textbf{Name}. The name is case-sensitive and can have up to 128 characters. - \item[STEP 3.] \textbf{Please Upload} a \textbf{Certificate}. For Intermediate CA, certificate must be a complete chain. + \item[STEP 3.] \textbf{Please Upload} a \textbf{Certificate}. For Intermediate CA, the certificate must be a complete chain. \item[STEP 4.] \textbf{Please Upload} a \textbf{Private Key File} separately. It supports PEM (base64-encoded) format only. If you have your digital keys stored in HSM, please select \textbf{HSM}, and fill in \textbf{Slot ID}. \item[STEP 5.] Enter customized \textbf{Reissue Expiry Hours} or select Mirror Server Certificate. - \item[STEP 6.] Select a \textbf{Type} from Root Certificate, Intermediate Certificate and End-entity. - \item[STEP 7.] Select \textbf{Public Key Algorithm} from RSA 1024, RSA 2048, SECP 256r1 and SECP 384r1. + \item[STEP 6.] Select a \textbf{Type} from Root Certificate, Intermediate Certificate, and End-entity. + \item[STEP 7.] Select \textbf{Public Key Algorithm} from RSA 1024, RSA 2048, SECP 256r1, and SECP 384r1. \item[STEP 8.] Enter \textbf{Certificate Revocation List} address or leave the value set to empty. \item[STEP 9.] Enable \textbf{Include root in client-side certificate chain} if you wish to. \end{description} -Go back to Decryption Keyrings tab, you can view detailed information about the Keyrings you just created. +Go back to the Decryption Keyrings tab. You can view detailed information about the Keyrings you just created. To edit and delete Keyrings, find the item you want to edit or delete in the list. Click \textbf{Edit} or \textbf{Delete} at the top left. To download it, you can click the cloud icon under \textbf{Private Key} and \textbf{Certificate}, and wait a few seconds for the file to be downloaded to your local folder. -You can search Keyrings based on ID and Name. Enter search conditions in search bar and click search icon. +You can search Keyrings based on ID and Name. Enter search conditions in the search bar and click the search icon. %\pdfbookmark[3]{Manage Keys with a Hardware Security Module}{Manage Keys with a Hardware Security Module} \subsubsection*{\hypertarget{link:Manage Keys with a Hardware Security Module}{Manage Keys with a Hardware Security Module}} \addcontentsline{toc}{subsubsection}{Manage Keys with a Hardware Security Module} \label{sec:decrypt:certificate:keyring:hsm} -A hardware security module (HSM) is a physical device that manages digital keys. An HSM provides secure storage and generation of digital keys. It provides both logical and physical protection of these materials from non-authorized use and potential adversaries. HSM clients integrated with TSG enable enhanced security for the private keys used in SSL/TLS decryption. +A hardware security module (HSM) is a physical device that manages digital keys. An HSM provides secure storage and generation of digital keys. +It provides both logical and physical protection of these materials from non-authorized use and potential adversaries. +HSM clients integrated with TSG enable enhanced security for the private keys used in SSL/TLS decryption. You can integrate Hardware Security Module (HSM) device on TSG and reference it in Decryption Keyrings. @@ -138,7 +159,8 @@ You can integrate an HSM device by the following procedure. \item[STEP 1.] Select \textbf{Devices} > \textbf{HSM} and click \textbf{Create}. \item[STEP 2.] Add a \textbf{Name}. The name is case-sensitive and can have up to 128 characters. \item[STEP 3.] Select \textbf{HSM Server Type}. For now, only support CERTEX HSM. - \item[STEP 4.] Specify \textbf{Server IP} and \textbf{Partition Password}. Password only allow English letters, numbers, underscore \_, minus sign \-, English dot (.) and its minimum 6 bits, maximum 16 bits. + \item[STEP 4.] Specify \textbf{Server IP} and \textbf{Partition Password}. Password only allows English letters, numbers, underscore \_, minus sign \-, English dot (.) + and its minimum 6 bits, maximum 16 bits. \item[STEP 5.] Click \textbf{Reachability Test} to know the status of HSM. \item[STEP 6.] Select \textbf{Data Center} of the HSM. \item[STEP 7.] Click \textbf{OK}. @@ -152,10 +174,12 @@ You can integrate an HSM device by the following procedure. SSL Decryption Exclusion can exclude two types of traffic from decryption: -• Traffic that breaks decryption for technical reasons, such as using a pinned certificate, unsupported ciphers, or mutual authentication (decrypting blocks the traffic). If you encounter sites that break decryption technically and are not on the SSL Decryption Exclusion list, you can add them to list manually by server hostname. +• Traffic that breaks decryption for technical reasons, such as using a pinned certificate, unsupported ciphers, or mutual authentication (decrypting blocks the traffic). +If you encounter sites that break decryption technically and are not on the SSL Decryption Exclusion list, you can add them to the list manually by server hostname. -• Traffic that you choose not to decrypt because of business, regulatory, personal, or other reasons, such as financial-services, health-and-medicine, or government traffic. You can choose to exclude traffic based on FQDN. +• Traffic that you choose not to decrypt because of business, regulatory, personal, or other reasons, such as financial services, health-and-medicine, +or government traffic. You can choose to exclude traffic based on FQDN. \notemark\textit{To increase visibility into traffic and reduce the attack surface as much as possible, don’t make decryption exceptions unless you must.} @@ -165,17 +189,18 @@ Perform the following to exclude a Server from Decryption: \begin{description} \item[STEP 1.] Select \textbf{Profiles} > \textbf{Decryption} > \textbf{SSL Decryption Exclusion}, Click \textbf{Create}. - \item[STEP 2.] Enter an \textbf{FQDN}, it supports suffix matching and exactly matching only. E.g. *.example.com, \$www.example.com. + \item[STEP 2.] Enter an \textbf{FQDN}. It supports suffix matching and exactly matching only. E.g. *.example.com, \$www.example.com. \item[STEP 3.] Enter a \textbf{Description}. The description can have up to 255 characters. \item[STEP 4.] Click \textbf{OK}. \end{description} -If you create an SSL Decryption Exclusion entry, actually TSG will create an FQDN object which contains only one item. But this FQDN object can only be seen in SSL Decryption Exclusion and will be referenced in TSG built-in Policy ID 1. +If you create an SSL Decryption Exclusion entry, actually TSG will create an FQDN object which contains only one item. +But this FQDN object can only be seen in SSL Decryption Exclusion and will be referenced in TSG built-in Policy ID 1. -Go back to SSL Decryption Exclusion tab, you can view detailed information about the SSL Decryption Exclusion list you just created. +Go back to the SSL Decryption Exclusion tab. You can view detailed information about the SSL Decryption Exclusion list you just created. To edit and delete, find the item you want to edit or delete in the list. Click \textbf{Edit} or \textbf{Delete} at the top left. -You can search exclusion list based on ID and Name. Enter search conditions in search bar and click search icon. +You can search the exclusion list based on ID and Name. Enter search conditions in the search bar and click the search icon. %\pdfbookmark[2]{Cached Intermediate Certificates}{Cached Intermediate Certificates} \subsection*{\hypertarget{link:Cached Intermediate Certificates}{Cached Intermediate Certificates}} @@ -185,25 +210,30 @@ You can search exclusion list based on ID and Name. Enter search conditions in s TSG will automatically cache intermediate certificates. You can select \textbf{Profiles} > \textbf{Decryption} and select \textbf{Cached Intermediate Certificates} to view detailed information about these Intermediate Certificates. These Intermediate Certificates are issued by Trusted Certificate Authorities, which is an effort to amend the incomplete certificate chain. -TSG will collect the following information: source website, issuer by, issuer to, Cn, and expiry date. +TSG will collect the following information: source website, issue by, issue to, CN, and expiry date. -To download it, you can click the icon under \textbf{File}, and wait a few seconds for the file to be downloaded to your local folder. +To download it, you can click the icon under \textbf{File}, and and wait a few seconds to download the file to your local folder. You can also enable and disable it by clicking the switch under \textbf{Enabled}. The system will periodically check whether the intermediate certificate has expired. If the intermediate certificate expires, the system will automatically set the status of the intermediate certificate to disable. -You can search intermediate certificates based on ID, Source Website, Issuer, Common Name and Certificate Fingerprint, or the combination. -Enter search conditions in search bar and click search icon. +You can search intermediate certificates based on ID, Source Website, Issuer, Common Name, and Certificate Fingerprint, or the combination. +Enter search conditions in the search bar and click the search icon. %\pdfbookmark[2]{SSL Fingerprint}{SSL Fingerprint} \subsection*{\hypertarget{link:SSL Fingerprint}{SSL Fingerprint}} \addcontentsline{toc}{subsection}{SSL Fingerprint} \label{sec:decrypt:certificate:fingerprint} -With the improvement of people's security awareness, more and more apps support Pinning. And JA3 fingerprinting is no longer a luxury and is a hard requirement. You can use shared JA3 hash across the network to help accurately identify Pinning applications and then configure the app to Dynamic Bypass or not accordingly in TSG. It can mean the difference between a rapid response and a missed detection. +You can use shared JA3 hash across the network to help accurately identify Pinning applications and then configure the app to Dynamic Bypass or not accordingly in TSG. -It is difficult to collect JA3 hash for Pinning Apps, but as a traffic inspection device, TSG can determine exactly which apps are Not Pinning. And It is relatively easy to collect JA3 hash for Not Pinning Apps. Over time, more and more JA3 hashes of Not Pinning have been collected. If an SSL connection exhibits Pinning characteristics and is not included in the collected JA3 hash of Not Pinning, it is more accurate than ever to tell the APP is Pinning. Under the circumstances, the Dynamic Bypass is recommended in profile. If an SSL connection exhibits Pinning characteristics and is included in the collected JA3 hash of Not Pinning, it is more accurate than ever to tell the APP is a browser without installed root certificate. Under the circumstances, the Intercept is recommended in profile. To configure Dynamic Bypass or Intercept for Pinning Apps, see Decryption Profile. +It is hard to determine a JA3 hash belongs to a Pinning App, but TSG can determine an app is Not Pinning by successful decryption. +And It is relatively easy to collect JA3 hash for Not Pinning Apps. Over time, more and more JA3 hashes of Not Pinning have been collected. +If an SSL session exhibits Pinning characteristics and is not included in the collected JA3 hash of Not Pinning, it is more accurate than ever to tell the application is Pinning. +If an SSL session exhibits Pinning characteristics and is included in the collected JA3 hash of Not Pinning, +it is more accurate than ever to tell the APP is a browser without installed root certificate. To configure Dynamic Bypass or Intercept for Pinning Apps, see +\hyperlink{link:Decryption Profile}{\color{linkblue}{Decryption Profile}}. The overall process is as follows: @@ -217,11 +247,10 @@ The overall process is as follows: \begin{enumerate} \item In session records, perform top N statistics on JA3 hash according to different SNI numbers. \item In security event logs, perform top N statistics on SNI according to the number of unique JA3 hash. - \item In security event logs, perform top N on the combination of JA3 hash and SNI according to the bytes transmitted. - \item In security event logs or session records, according to the number of unique JA3 hash, perform top N statistics on Client IP or Internal IP. + \item In security event logs, perform top N on the JA3 hash and SNI combination according to transmitted bytes. + \item According to the number of unique JA3 hash, in Security Events or session records, perform top N statistics on Client IP or Internal IP. \end{enumerate} - \item TSG administrator imports JA3 hashes that meet the requirements in the report analysis result into the DB through TSG interface. - \item JA3 hash is synchronized from DB to Redis. Redis delivers JA3 hash to Proxy. And Proxy uses JA3 hash for Pinning identification. + \item TSG administrator imports JA3 hashes that meet the requirements in the report analysis result into the DB through the TSG interface. \end{enumerate} \end{description} @@ -235,10 +264,10 @@ Perform the following steps to create an SSL fingerprint: \item[STEP 5.] Click \textbf{OK}. \end{description} -Go back to SSL Fingerprint tab, you can view detailed information about the SSL Fingerprint list you just created. +Go back to the SSL Fingerprint tab. You can view detailed information about the SSL Fingerprint list you just created. To edit and delete, find the item you want to edit or delete in the list. Click \textbf{Edit} or \textbf{Delete} at the top left. -You can search fingerprint list based on ID and JA3 Hash. Click the Import or Export icon on the right to import or export csv file for SSL fingerprint. -You can also upload User-Agent using json formats. The User-Agent string is often used for content negotiation, +You can search fingerprint list based on ID and JA3 Hash. Click the Import or Export icon on the right to import or export CSV file for SSL fingerprint. +You can also upload User-Agent using JSON formats. The User-Agent string is often used for content negotiation, where the origin server selects suitable content or operating parameters for the response. The concept of content tailoring is built into the HTTP standard in RFC1945 “for the sake of tailoring responses to avoid particular user agent limitations.” The information in the User-Agent string contributes to the information that the client sends to the server, since the string can vary considerably from user to user. @@ -248,7 +277,7 @@ The information in the User-Agent string contributes to the information that the \addcontentsline{toc}{section}{Proxy Profiles} \label{sec:decrypt:profile} -A policy rule combines with several conditions and one action. The action determines how to control the traffic, and action parameters are managed in policy profiles. +A policy rule combines several conditions and one action. The action determines how to control the traffic, and action parameters are managed in policy profiles. While policy objects enable you to identify traffic to enforce policies, policy profiles help you define further action. %\pdfbookmark[2]{Response Pages}{Response Pages} @@ -258,7 +287,7 @@ While policy objects enable you to identify traffic to enforce policies, policy When the Proxy Policy or Security Policy terminates matched HTTP session with a response page in Deny action, you can specify a Response Code and a Response Content to generate an error page -or you could upload a html file via \textbf{Proxy Profile} > \textbf{Response Pages}. +or you could upload a HTML file via \textbf{Proxy Profile} > \textbf{Response Pages}. \begin{description} \item[STEP 1.] Select \textbf{Profiles} > \textbf{Response Pages} tab, and click \textbf{Create}. @@ -266,30 +295,30 @@ or you could upload a html file via \textbf{Proxy Profile} > \textbf{Response Pa \item[STEP 3.] Please Upload a \textbf{File}. Allow html/htm format only. \end{description} -Go back to Response Pages tab, you can view detailed information about the page you just created. +Go back to the Response Pages tab. You can view detailed information about the page you just created. To edit and delete, find the item you want to edit or delete in the list. Click \textbf{Edit} or \textbf{Delete} at the top left. -To download it, you can click the cloud icon under \textbf{File}, and wait a few seconds for the file to be downloaded to your local folder. -You can search page list based on ID and Name. Enter search conditions in search bar and click search icon. +To download it, you can click the cloud icon under \textbf{File}, and wait a few seconds to download the file to your local folder. +You can search page list based on ID and Name. Enter search conditions in the search bar and click the search icon. %\pdfbookmark[2]{Insert Scripts}{Insert Scripts} \subsection*{\hypertarget{link:Insert Scripts}{Insert Scripts}} \addcontentsline{toc}{subsection}{Insert Scripts} \label{sec:decrypt:profile:insert} -The Proxy Policy can insert a “js” or “css” scripts to webpages. You can upload a script via \textbf{Proxy} > \textbf{Insert Scripts}. +The Proxy Policy can insert “js” or “CSS” scripts to webpages. You can upload a script via \textbf{Proxy} > \textbf{Insert Scripts}. \begin{description} \item[STEP 1.] Select \textbf{Profiles} > \textbf{Proxy} > \textbf{Insert scripts}, and click \textbf{Create}. \item[STEP 2.] Add a \textbf{Name}. The name is case-sensitive and can have up to 128 characters. - \item[STEP 3.] Please Upload a \textbf{Script}. Allow js” and “css” only. - \item[STEP 4.] Select a \textbf{Script Type} from drop-down. + \item[STEP 3.] Please Upload a \textbf{Script}. Allow js” and “CSS” only. + \item[STEP 4.] Select a \textbf{Script Type} from the drop-down. \end{description} -Go back to Insert Scripts tab, you can view detailed information about the scripts you just created. +Go back to the Insert Scripts tab. You can view detailed information about the scripts you just created. To edit and delete, find the item you want to edit or delete in the list. Click \textbf{Edit} or \textbf{Delete} at the top left. To download it, you can click the cloud icon under \textbf{File}, -and wait a few seconds for the file to be downloaded to your local folder. -You can search scripts list based on ID and Name. Enter search conditions in search bar and click search icon. +and wait a few seconds to download the file to your local folder. +You can search scripts list based on ID and Name. Enter search conditions in the search bar and click the search icon. %\pdfbookmark[2]{Hijack Files}{Hijack Files} \subsection*{\hypertarget{link:Hijack Files}{Hijack Files}} @@ -309,16 +338,17 @@ The Proxy Policy can hijack a downloading file or page. You can upload a file, i \notemark\textit{Note that the Maximum Limitation is 20MB for your uploaded file.} -Go back to Hijack Files tab, you can view detailed information about the file you just created. To edit and delete, find the item you want to edit or delete in the list. -Click \textbf{Edit} or \textbf{Delete} at the top left. To download it, you can click the cloud icon under File, and wait a few seconds for the file to be downloaded to your local folder. -You can search file list based on ID and Name. Enter search conditions in search bar and click search icon. +Go back to the Hijack Files tab. You can view detailed information about the file you just created. To edit and delete, find the item you want to edit or delete in the list. +Click \textbf{Edit} or \textbf{Delete} at the top left. To download it, you can click the cloud icon under File, and wait a few seconds to download the file to your local folder. +You can search the file list based on ID and Name. Enter search conditions in the search bar and click the search icon. %\pdfbookmark[2]{Traffic Mirror Profiles}{Traffic Mirror Profiles} \subsection*{\hypertarget{link:Decryption Mirror Profiles}{Decryption Mirror Profiles}} \addcontentsline{toc}{subsection}{Decryption Mirror Profiles} \label{sec:decrypt:profile:mirror} -You also can mirror proxied traffic (decrypted) to third-party servers by referring a traffic mirror profile. The destination servers are described with VLAN Tag or MAC addresses, traffic will be load balanced over multiple servers of one profile. +You also can mirror proxied traffic (decrypted) to third-party servers by referring to a traffic mirror profile. +The destination servers are described with VLAN Tag or MAC addresses. Traffic will be load-balanced over multiple servers of one profile. You can manage the profile by the following procedure: @@ -326,19 +356,19 @@ You can manage the profile by the following procedure: \begin{description} \item[STEP 1.] Select \textbf{Profiles} > \textbf{Proxy} > \textbf{Decryption Mirror Profiles} tab, and click \textbf{Create}. \item[STEP 2.] Add a \textbf{Name}. The name is case-sensitive and can have up to 128 characters. - \item[STEP 3.] Select VLAN or MAC as your \textbf{Connectivity} from drop-down. - \item[STEP 4.] Enter \textbf{VLAN ID/MAC}. Make sure to input valid mirror destination MAC address. + \item[STEP 3.] Select VLAN or MAC as your \textbf{Connectivity} from the drop-down. + \item[STEP 4.] Enter \textbf{VLAN ID/MAC}. Make sure to input a valid mirror destination MAC address. \end{description} -Go back to Traffic Mirror Profiles tab, you can view detailed information about the profile you just created. +Go back to the Traffic Mirror Profiles tab. You can view detailed information about the profile you just created. To edit and delete, find the item you want to edit or delete in the list. Click \textbf{Edit} or \textbf{Delete} at the top left. -You can search profile list based on ID and Name. Enter search conditions in search bar and click search icon. +You can search the profile list based on ID and Name. Enter search conditions in the search bar and click the search icon. %\pdfbookmark[2]{Decryption Profile}{Decryption Profile} \subsection*{\hypertarget{link:Decryption Profile}{Decryption Profile}} \addcontentsline{toc}{subsection}{Decryption Profile} \label{sec:decrypt:profile:decryptionprofile} -A Decryption Profile includes three parts: Certificate Checks, Dynamic bypass and Protocol Version. +A Decryption Profile includes three parts: Certificate Checks, Dynamic bypass, and Protocol Version. %\pdfbookmark[3]{Certificate Checks}{Certificate Checks} \subsubsection*{\hypertarget{link:Certificate Checks}{Certificate Checks}} @@ -348,7 +378,7 @@ A Decryption Profile includes three parts: Certificate Checks, Dynamic bypass an Server certificate verification options allow you to customize certificate check approaches. -\textbf{Common Name}: TSG checks if the client hello’s SNI extension matches CN and SAN of the certificate. +\textbf{Common Name}: TSG checks if the client hello’s SNI extension matches the CN and SAN of the certificate. \textbf{Issuer}: TSG checks the certificate chain if the issuer is a trusted certificate authority list. See Certificate Managements > Trusted Certificate Authorities > Built-in for a complete list. @@ -360,11 +390,13 @@ Server certificate verification options allow you to customize certificate check \textbf{Expiry Date}: TSG checks if a certificate is expired with the system clock. -\textbf{Fail Action}: If certificate is considered invalid, the proxy will take the fail action: +\textbf{Fail Action}: If the certificate is considered invalid, the proxy will take the fail action: \begin{itemize} \item \textbf{Fail-Close}: Terminate the SSL session by close the TCP connection. - \item \textbf{Pass-through}: For expired, untrusted issuer or self-signed certificate, TSG send a certificate that signed by the default untrusted keyring to client-side. Thus, the client-side browser raises an untrusted issuer warning. For mismatched common names, TSG send a certificate that signed by policy defined keyring, client-side browser raises a common name invalid warning. + \item \textbf{Pass-through}: For expired, untrusted issuer or self-signed certificate, TSG sends a certificate signed by + the default untrusted keyring to the client-side. Thus, the client-side browser raises an untrusted issuer warning. + For mismatched common names, TSG sends a certificate signed by policy-defined keyring, client-side browser raises a common name invalid warning. \end{itemize} %\pdfbookmark[3]{Dynamic Bypass}{Dynamic Bypass} @@ -372,25 +404,30 @@ Server certificate verification options allow you to customize certificate check \addcontentsline{toc}{subsubsection}{Dynamic Bypass} \label{sec:decrypt:profile:decryptionprofile:bypass} -Dynamic bypass options allow you to customize intercept exceptions on policy basis. If an SSL session matches an intercept policy, and has one of following enabled properties, further communication will be exempt from intercept. That is to say, with dynamic bypass enabled, client-side can visit normally. +Dynamic bypass options allow you to customize intercept exceptions on a policy basis. +If an SSL session matches an intercept policy and has one of the following enabled properties, further communication will be exempt from interception. +That is to say, with dynamic bypass enabled, the client-side can visit normally. \textbf{EV Certificate}: An Extended Validation (EV) Certificate is a certificate used for HTTPS websites and software that proves the legal entity controlling the website or software package. Obtaining an EV certificate requires verification of the requesting entity's identity by a certificate authority. -\textbf{Certificate Transparency}: Certificate Transparency (CT) is an internet security standard and open source framework for monitoring and auditing digital certificates. +\textbf{Certificate Transparency}: Certificate Transparency (CT) is an internet security standard and open-source framework for monitoring and auditing digital certificates. -\textbf{Mutual Authentication}: Mutual authentication is a process or technology in which both entities in a communications link authenticate each other. The server sends a client certificate request, and the client must response with a valid certificate. Proxy could not intercept SSL sessions with mutual authenticated, these sessions will be blocked when this option is disabled. +\textbf{Mutual Authentication}: Mutual authentication is a process or technology in which both entities in a communications link authenticate each other. +The server sends a client certificate request, and the client must respond with a valid certificate. +The proxy could not intercept SSL sessions with mutual authenticated, and these sessions will be blocked when this option is disabled. -\textbf{On Protocol Errors}: Protocol errors are unsupported ciphers, communication exceptions and etc., enable this option will increase network availabilities. +\textbf{On Protocol Errors}: Protocol errors are unsupported ciphers, communication exceptions, etc., enable this option will increase network availabilities. -\textbf{Certificate Pinning}: The application known the server certificate by hard-coding, and can then ignore the device's trust store and rely on its own. -The proxy detects pinning by client alert and SSL handshake errors. The proxy can also determine whether the current connection is Pinning through the SSL fingerprint profile. -The SSL Fingerprint profile will be checked in advanced than client alert and SSL handshake errors when proxy detects pinning. -Proxy could not intercept SSL sessions with certificate pinning, these sessions will be blocked when this option is disabled. +\textbf{Certificate Pinning}: The application knows the server certificate by hard-coding and can then ignore the device’s trust store and rely on its own. +The proxy detects pinning by client alert and SSL handshake errors. +The proxy can also determine whether the current connection is Pinning through the SSL fingerprint profile. +The SSL Fingerprint profile will be checked in advance. The proxy could not intercept SSL sessions with certificate pinning; otherwise, +these sessions will be blocked when this option is disabled. For more details, see \textbf{\hyperlink{link:Dynamic Bypass when Certificate Pinning}{\color{linkblue}{Dynamic Bypass when Certificate Pinning}}}. @@ -403,24 +440,31 @@ For more details, see \textbf{\hyperlink{link:Dynamic Bypass when Certificate is \label{sec:decrypt:profile:decryptionprofile:bypass:pinning} %\newline -Certificate pinning is the process of a client check the server certificate with its pre-configured certificate list, if the server certificate does not match then the client will prevent the session from taking place. This enforcement ensures that the user devices are communicating only to the dedicated trustful servers. Applications, such as Facebook, Twitter and Apple App store, utilize certificate pinning approach. +Certificate pinning is the process of a client check the server certificate with its pre-configured certificate list, +if the server certificate does not match then the client will prevent the session from taking place. +This enforcement ensures that the user devices are communicating only to the dedicated trustful servers. +Applications, such as Facebook, Twitter and Apple App store utilize certificate pinning approach. -In order for an SSL proxy to decrypt and re-encrypt traffic so that a proxy policy can be enforced it needs to intercept the server certificate sent by the server to the client. Once it has intercepted the server certificate it will replace the server certificates with keyring signed ones. If a site works in a browser but not in an app on the same device, you are almost certainly looking at an instance of certificate pinning. +For an SSL proxy to decrypt and re-encrypt traffic to enforce a proxy policy, it needs to replace the server certificate sent by the server to the client. +Once it has intercepted the server certificate it will replace the server certificates with keyring signed ones. +If a site works in a browser but not in an app on the same device, you are almost certainly looking at an instance of certificate pinning. -In reality, MITM applications of certificate pinning will block their communications. Alternatively, you can configure SSL Proxy to automatically bypass the next connection when the first N attempts to establish a connection fails. +In reality, MITM applications of certificate pinning will block their communications. +Alternatively, you can configure SSL Proxy to automatically bypass the next connection when the first N attempts to establish a connection fails. -The following behavior are indications of application use certificate pinning: +The following behaviors are indications of application use certificate pinning: • The proxy received an SSL ALERT Message from the client during the SSL handshake. The Alert is usually an “Unknown CA (48)” alert indicating Certificate Pinning. -• The proxy received no alerts, instead, it received a TCP reset after the handshake is done. +• The proxy received no alerts; instead, it received a TCP reset after the handshake is done. -If the SSL connection establishment fails as above for 4 or more times in 5 minutes, the proxy will consider it as certificate pinning, following attributes will be recorded for bypassing further connections: +If the SSL connection establishment fails as above for 4 or more times in 5 minutes, the proxy will consider it as certificate pinning. +Following attributes will be recorded for bypassing further connections: • Client IP address @@ -432,7 +476,7 @@ If the SSL connection establishment fails as above for 4 or more times in 5 minu • SSL fingerprints, e.g. cipher suites of SSL handshake message -Different applications often have different handshake fingerprints, and therefore the proxy will only bypass those use certificate pinning. +Different applications often have different handshake fingerprints, and therefore the proxy will only bypass those who use certificate pinning. %\pdfbookmark[4]{Dynamic Bypass when Certificate is Not Installed}{Dynamic Bypass when Certificate is Not Installed} \hypertarget{link:Dynamic Bypass when Certificate is Not Installed}{\paragraph{Dynamic Bypass when Certificate is Not Installed}} @@ -440,16 +484,22 @@ Different applications often have different handshake fingerprints, and therefor \label{sec:decrypt:profile:decryptionprofile:bypass:notinstalled} %\newline -As a best practice, the trusted root certificate certificates should be installed on clients to ensure that the browsers/apps perform the certificate checks to validate the identity of the proxy before establishing a connection. When client does not install the trusted root certificate, intercept its SSL connection will be failed. +As a best practice, the trusted root certificate certificates should be installed on clients to ensure that the browsers/apps perform the certificate checks to +validate the proxy's identity before establishing a connection. When a client does not install the trusted root certificate, intercept its SSL connection will be failed. -The challenge is the behavior of certificate not installed is very similar to certificate pinning. The proxy determines whether the current connection is Not Pinning by querying the SSL fingerprint profile. When an SSL connection fails like certificate pinning, and its fingerprint status is Not Pinning, the application is not considered as certificate pinning. Following figure shows the process. +The challenge is the behavior of certificate not installed is very similar to certificate pinning. +The proxy determines whether the current connection is Not Pinning by querying the SSL fingerprint profile. +When an SSL connection fails like certificate pinning, and its fingerprint status is Not Pinning, the application is not considered as certificate pinning. +Following figure shows the process. You can configure SSL Proxy to automatically bypass those applications, or alternatively, still intercept to make the client install the trusted root certificate. -Let’s dig into the technical details by a use case. There are two clients, client A and B, reside in our network. They shared a same IPv4 address (NAT), where client A has trusted root certificate installed and uses Facebook app (pinning); client B has no root certificate installed and uses Chrome to visit Facebook website (not pinning). With dynamic bypass configuration: +Let’s dig into the technical details by a use case. There are two clients, client A and B, who reside in our network. +They shared the same Ipv4 address (NAT), where client A has a trusted root certificate installed and uses the Facebook app (pinning); +client B has no root certificate installed and uses Chrome to visit the Facebook website (not pinning). With dynamic bypass configuration: • Certificate Pinning: Enabled @@ -465,10 +515,12 @@ At the beginning, both Client A and B’s SSL connections are failed for their o \addcontentsline{toc}{subsubsection}{Protocol Version} \label{sec:decrypt:profile:decryptionprofile:version} -Protocol Versions allows you to configure SSL/TLS versions. By default, Proxy mirrors the client versions. Note that some website disable SSLv3 supports for security concerns, set both minimum and maximum version to SSLv3 will interrupt communications. +Protocol Version allows you to configure SSL/TLS version. By default, Proxy mirrors the client versions. +Some websites disable SSLv3 supports for security concerns; setting both minimum and maximum versions to SSLv3 will interrupt communications. -HTTP/2 is a major revision of the HTTP network protocol that provide increased speed. If Allow HTTP/2 is enabled, user will have better experience, but requires third-party systems to be able to process decrypted HTTP/2 traffic. +HTTP/2 is a major revision of the HTTP network protocol that provides increased speed. +If Allow HTTP/2 is enabled, the user will have better experience, but requires third-party systems to process decrypted HTTP/2 traffic. %\pdfbookmark[3]{Create a Decryption Profile}{Create a Decryption Profile} \subsubsection*{\hypertarget{link:Create a Decryption Profile}{Create a Decryption Profile}} @@ -482,8 +534,8 @@ Perform the following to create a decryption profile: \item[STEP 2.] Add a \textbf{Name}. The name is case-sensitive and can have up to 128 characters. \item[STEP 3.] Enable or disable the following certificate checks: \textbf{Common Name}, \textbf{Issuer}, \textbf{Self-signed} and \textbf{Expiry Date}. If you enable Common Name, select Fail-close or Pass-through as your \textbf{Fail Action}. \item[STEP 4.] Enable or disable the following Dynamic bypass: \textbf{EV Certificate}, \textbf{Certificate Transparency}, \textbf{Mutual Authentication}, \textbf{On Protocol Errors}, \textbf{Certificate Pinning}, \textbf{Certificate Not Installed}. - \item[STEP 5.] Enable or disable the following Protocol Versions: \textbf{Mirrors Client Versions}, \textbf{Allow HTTP/2}. If you disable Mirrors Client Versions, you need to select the Min Version and Max Version from SSLv3.0, TLSv1.0, TLSv1.1, TLSv1.2 and TLSv1.3. + \item[STEP 5.] Enable or disable the following Protocol Versions: \textbf{Mirrors Client Versions}, \textbf{Allow HTTP/2}. If you disable Mirrors Client Versions, you must select the Min and Max versions from SSLv3.0, TLSv1.0, TLSv1.1, TLSv1.2 and TLSv1.3. \end{description} -Go back to Decryption Profile tab, you can view detailed information about the profile you just created. To edit and delete, find the item you want to edit or delete in the list. -Click \textbf{Edit} or \textbf{Delete} at the top left. You can search profile list based on ID and Name. Enter search conditions in search bar and click search icon. +Go back to the Decryption Profile tab. You can view detailed information about the profile you just created. To edit and delete, find the item you want to edit or delete in the list. +Click \textbf{Edit} or \textbf{Delete} at the top left. You can search the profile list based on ID and Name. Enter search conditions in the search bar and click the search icon. diff --git a/content/DoS Detection.tex b/content/DoS Detection.tex index 4d2f680..72f645e 100644 --- a/content/DoS Detection.tex +++ b/content/DoS Detection.tex @@ -2,16 +2,20 @@ \addcontentsline{toc}{chapter}{DoS Detection} \label{sec:detection} -A denial-of-service attack (DoS attack) is a cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to the Internet. Denial of service is typically accomplished by flooding the targeted machine or resource with superfluous requests in an attempt to overload systems and prevent some or all legitimate requests from being fulfilled. +A denial-of-service attack (DoS attack) is a cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users +by temporarily or indefinitely disrupting the services of a host connected to the Internet. +Denial of service is typically accomplished by flooding the targeted machine or resource with superfluous requests in an attempt to overload systems +and prevent some or all legitimate requests from being fulfilled. -In a distributed denial-of-service attack (DDoS attack), the incoming traffic flooding the victim originates from many different sources. This effectively makes it impossible to stop the attack simply by blocking a single source. +In a distributed denial-of-service attack (DDoS attack), the victim's incoming traffic originates from many different sources. +This effectively makes it impossible to stop the attack simply by blocking a single source. The implications for victims range from a nuisance to millions of dollars in lost revenue. -TSG supports DoS or DDoS detection that includes TCP flood (SYN, ACK, invalid flag combination), UDP flood, ICMP flood, DNS Amplification. +TSG supports DoS or DDoS detection, including TCP flood (SYN, ACK, invalid flag combination), UDP flood, ICMP flood, and DNS flood. { @@ -25,19 +29,31 @@ TSG supports DoS or DDoS detection that includes TCP flood (SYN, ACK, invalid fl \addcontentsline{toc}{section}{DoS Overview} \label{sec:DoS:overview} -Computer network security is a challenge as old as the Internet itself. In such a DoS attack, the hacker attempts to consume all the resources of a networked system so that no other users can be served. In distributed denial of service (DDoS) attacks, attackers write a program that will covertly send itself to dozens, hundreds, or even thousands of other computers. These computers are known as 'bots' or 'zombies', because they act on behalf of the hackers to launch an attack against target systems. A network of these computers is called a botnet. An administrator of such a botnet is called a botmaster. the botmaster will cause all of these bots to attempt repeated connections to a target site. If the attack is successful, it will deplete all system or network resources, thereby denying service to legitimate users or customers. +Computer network security is a challenge as old as the Internet itself. In such a DoS attack, the hacker attempts to consume all the resources of a networked system +so that no other users can be served. In distributed denial of service (DDoS) attacks, attackers write a program that will covertly send itself to dozens, hundreds, +or even thousands of other computers. These computers are known as 'bots' or 'zombies', because they act on behalf of the hackers to launch an attack against target systems. +A network of these computers is called a botnet. An administrator of such a botnet is called a botmaster. +The botmaster will cause all of these bots to attempt repeated connections to a target site. +If the attack is successful, it will deplete all system or network resources, thereby denying service to legitimate users or customers. -To circumvent detection, attackers are either increasingly mimicking the behavior of a large number of clients or actually using a large number of IoT clients. The resulting attacks are hard to defend against with standard techniques, as the malicious requests differ from the legitimate ones in intent but not in content. Because each attacking system looks innocent, advanced techniques are required to separate the 'bad' traffic from the 'good' traffic. +To circumvent detection, attackers are either increasingly mimicking the behavior of a large number of clients or using a large number of IoT clients. +The resulting attacks are hard to defend against with standard techniques, as the malicious requests differ from the legitimate ones in intent but not in content. +Because each attacking system looks innocent, advanced techniques must separate the 'bad' traffic from the 'good' traffic. \section*{\hypertarget{link:DoS Detection}{DoS Detection}} \addcontentsline{toc}{section}{DoS Detection} \label{sec:DoS:detection} -TSG supports DoS or DDoS detection that includes TCP flood (SYN, ACK, invalid flag combination), UDP flood, ICMP flood, DNS Amplification. +TSG supports DoS or DDoS detection including TCP flood (SYN, ACK, invalid flag combination), UDP flood, ICMP flood, and DNS flood. -TSG will display DDoS detection result in two ways: DoS Event Logs and DoS Threat Map. DoS event logs support log retrieval by Source IPs, Destination IP, Attack Type, Start Time and End Time. DoS threat map allows attack trend display within given time span. The attack source and destination are obtained by mapping source IPs, destination IP with geography in IP libraries. DoS threat map displays attacks of last 1 hour by Attack Type, Severity, Top Source Countries, Top Destination and Top Victims. +TSG will display DDoS detection result in two ways: DoS Event Logs and DoS Threat Map. DoS event logs support log retrieval by +Source IPs, Destination IP, Attack Type, Start Time and End Time. DoS threat map allows attack trend display within given time span. +The attack source and destination are obtained by mapping source IPs, destination IP with geography in IP libraries. +DoS threat map displays attacks of last 1 hour by Attack Type, Severity, Top Source Countries, Top Destination and Top Victims. -DoS or DDoS logs are aggregated based on thresholds and baseline. For example, within 30s, there are more than 10000 TCP SYN in destination IP, will be ruled as SYN Flood. To detect Dos attacks, you can customize threshold conditions by creating DoS Detection Profile for Target IPs. The threshold units are Packets/second, Bits/second and Sessions/ second. +DoS or DDoS logs are aggregated based on thresholds and baseline. For example, within the 30s, more than 10000 TCP SYN in destination IP, will be ruled as SYN Flood. +To detect Dos attacks, you can customize threshold conditions by creating DoS Detection Profile for Target IPs. +The threshold units are Packets/second, Bits/second and Sessions/ second. diff --git a/content/Getting_Started.tex b/content/Getting_Started.tex index 95cb69d..f842291 100644 --- a/content/Getting_Started.tex +++ b/content/Getting_Started.tex @@ -9,8 +9,8 @@ %\section{test} %\addcontentsline{toc}{section}{test......} -The following topics provide system overview and detailed steps to help you logging into Tiangou Secure Gateway (TSG). -Then it goes on to elaborate how to set up a basic security policy and a basic proxy policy. +The following topics provide a system overview and detailed steps to help you logging into Tiangou Secure Gateway (TSG). +Then it goes on to elaborate on how to set up a basic security policy and a basic proxy policy. Administrators can configure, manage, and monitor Tiangou Secure Gateway using the web interface, CLI, and TSG Integration API. { @@ -36,7 +36,7 @@ Administrators can configure, manage, and monitor Tiangou Secure Gateway using t \addcontentsline{toc}{subsection}{Purpose} \label{sec:intro:overview:purpose} -The Tiangou Secure Gateway (TSG) can be used for any purpose where keeping track of the traffic flowing in a network is useful. +The Tiangou Secure Gateway (TSG) can be used for any purpose where keeping track of the traffic flowing in a network is helpful. The following are examples of such purposes:\\ @@ -54,19 +54,19 @@ The following are examples of such purposes:\\ Tiangou Secure Gateway (TSG) is a scalable traffic management product for all types of network environments. TSG performs deep packet and flow inspection on Internet Protocol (IP) packets, and classifies their content using stream-based analysis engine. TSG Firewalls are devices or programs that control the flow of network traffic between networks or hosts that employ differing security postures. -TSG firewall uses a network stack to process the packet, like the OSI model. When a network packet passes through, it will be parsed and resembled to a network session. +TSG firewall uses a network stack to process the packet, like the OSI model. When a network packet passes through, it will be parsed and reassembled to a network session. And the reassembled network session is decoded to identify the embedded content. Tiangou Secure Gateway’s Proxy module enables authorities to perform layer 4-7 advanced manipulation of application and user traffic for interception. -The Proxy is deployed in transparent mode; thus, no proxy settings on browser side. +The Proxy is deployed in transparent mode; thus, no proxy settings on the browser side. TSG enables service providers and organizations to gain insight into their network and control traffic in high-performance environments, such as large data centers and high-bandwidth network perimeters. TSG allows content visibility of HTTP, DNS, MAIL, FTP, SSL and SIP. -TSG identifies and controls applications as well as evasive tools blocking. The TSG is able to modify HTTP sessions, as well as override redirect request, +TSG identifies and controls applications as well as evasive tools blocking. The TSG can modify HTTP sessions, override redirect request, modify headers, inject scripts, replace texts and respond with an uploaded file. -The TSG has an SSL Proxy allows all decrypted traffic to be mirrored to a third-party system for additional analysis. +The TSG has an SSL Proxy that allows all decrypted traffic to be mirrored to a third-party system for additional analysis. %\pdfbookmark[2]{Who is this Guide for?}{Who is this Guide for?} @@ -97,8 +97,8 @@ However, the best practice is to install the latest version. \begin{description} - \item[STEP 1.]Using a browser, open the home page of the system, for example, (http://). You can use the IPv4 or IPv6 address. - \item[STEP 2.]Enter your username and password defined for the TSG, select your own \textbf{Language} and set the \textbf{Authentication Mode} to \textbf{LOCAL}, then click \textbf{Login}. + \item[STEP 1.]Using a browser, open the system's home page, for example, (http://). You can use the IPv4 or IPv6 address. + \item[STEP 2.]Enter your username and password defined for the TSG, select your \textbf{Language} and set the \textbf{Authentication Mode} to \textbf{LOCAL}, then click \textbf{Login}. \item[STEP 3.]You can see your User Name at the top right of the web interface. Click it and you can change the language settings to English, Chinese or Russian. You can also Sign Out from here. \end{description} @@ -136,8 +136,8 @@ To configure current account preference, you can click \textbf{My Account} in th To prevent unauthorized users from gaining access to an account with nothing more than a stolen password. -TSG users can enable Two-Factor authentication strengthen the security of an account. -Two-factor authentication is a combination of two of the following: your password and a text with a code sent to your smartphone or other device. +TSG users can enable Two-Factor authentication to strengthen the security of an admin account. +Two-factor authentication is a combination of two of the following: your password and a text with a code  from your smartphone application. It is recommended to use cloud-based mobile authenticator apps such as GOOGLE Authenticator, Microsoft Authenticator. @@ -147,7 +147,7 @@ It is recommended to use cloud-based mobile authenticator apps such as GOOGLE Au \label{sec:intro:logging:restrictions} TSG restricts administrator logins to improve system security. An IP address will be Lockout after maximum login attempts. -And you can specify limited IP addresses to be able to login the system. Configure Login Restrictions by the following procedure: +And you can specify limited IP addresses to be able to log in to the system. Configure Login Restrictions by the following procedure: \begin{description} @@ -155,7 +155,7 @@ And you can specify limited IP addresses to be able to login the system. Configu \item[STEP 2.]If you wish to set the IP addresses that are allowed to log in, enable \textbf{Set to allow login IP}. By default, it is off, and all IP addresses are allowed to log in. Once enabled, up to 256 IPv4 CIDRs can be configured. For example, 192.168.0.1/32, 192.168.1.1/24. \item[STEP 3.](\textcolor{gold}{Optional})Add \textbf{IP} addresses if you enabled Set to allow login IP. - \item[STEP 4.]Configure \textbf{Maximum Login Attempts}, if the number of attempts reaches the limit, the client IP will be locked. + \item[STEP 4.]Configure \textbf{Maximum Login Attempts}. If the number of attempts reaches the limit, the client IP will be locked. \item[STEP 5.]Specify \textbf{Lockout Time}. Within the lockout time period, this client IP cannot log into the system even with the correct user name and password. \item[STEP 6.]Click \textbf{OK}. \end{description} @@ -165,7 +165,7 @@ And you can specify limited IP addresses to be able to login the system. Configu \addcontentsline{toc}{section}{Set Up a Basic Security Policy} \label{sec:intro:security} -Use the following workflow set up a very basic Security policy. This gives you a brief idea of policies so that you can verify that you have successfully configured TSG. +Use the following workflow to set up a basic Security policy. This gives you a brief idea of policies to verify that you have successfully configured TSG. \begin{description} \item[STEP 1.] Launch the Web Interface. @@ -188,7 +188,9 @@ Use the following workflow set up a very basic Security policy. This gives you a \item Verify that Enabled is enabled. \item Click \textbf{OK}. \end{enumerate} - \item[STEP 2.] (\textcolor{gold}{Optional})To verify that you have set up your basic policies effectively, test whether your Security policy rules are being evaluated and determine which Security policy rule applies to a traffic flow. For example, to verify the policy rule that will be applied for a client with the IP address 192.168.0.1 when it sends a HTTP request to the 172.16.0.1 server: + \item[STEP 2.] (\textcolor{gold}{Optional})To verify that you have set up your basic policies effectively, test whether your Security policy rules are being evaluated + and determine which rule applies to a traffic flow. For example, to verify the policy rule that will be applied for a client with the IP address 192.168.0.1 + when it sends a HTTP request to the 172.16.0.1 server: \begin{enumerate} \item Select \textbf{System} > \textbf{Trouble Shooting} > \textbf{Policy Verify}. \item Select \textbf{Security Policy Match} from the \textbf{Select Test} drop-down. @@ -197,13 +199,13 @@ Use the following workflow set up a very basic Security policy. This gives you a \item Select the \textbf{Protocol} and \textbf{APP ID} from the drop-down. \item Click \textbf{Verify} to execute the \textbf{Security policy match} test. \end{enumerate} - \item[STEP 3.] After the policy has been hit, view Logs to monitor the policy rule status and determine the effectiveness of the policy rule. + \item[STEP 3.] After the policy has been matched, view Logs to monitor the policy rule status and determine the effectiveness. Select \textbf{Logs} > \textbf{Security Events} and view relative information about the policy. \end{description} -\notemark\textit{When you are creating or editing policies and objects, click the sidebar menu will not navigate you to the corresponding page. -A prompt window will appear to remind you that changes you made are not saved.} +\notemark\textit{When creating or editing policies and objects, click the sidebar menu will not navigate you to the corresponding page. +A prompt window will appear to remind you that the changes you made are not saved.} %\pdfbookmark[1]{Set Up a Basic Proxy Policy}{Set Up a Basic Proxy Policy} @@ -211,7 +213,7 @@ A prompt window will appear to remind you that changes you made are not saved.} \addcontentsline{toc}{section}{Set Up a Basic Proxy Policy} \label{sec:intro:proxy} -Security Policies with Intercept actions intercept HTTP/HTTPS traffic for proxy, which is a prerequisite for proxy policy. +Security Policies with Intercept actions intercept HTTP/HTTPS traffic for proxy, it's a prerequisite for proxy policy. You can perform the following to set up a basic proxy policy. \\ @@ -256,12 +258,12 @@ You can perform the following to set up a basic proxy policy. \\ You can use the TSG Command Line Interface (CLI) to perform a series of tasks by entering commands in rapid succession over SSH. The TSG CLI is a TSG specific command shell. By leveraging industry-standard tools and utilities, the CLI provides a set of commands that you can use to monitor and configure TSG devices. -TSG CLI supports two types of command, TSG specified commands and Linux-like system operational commands. -TSG specified commands help control policy and object, configure and check devices status. The commands related with policy and object control work on all TSG devices cluster. -The other CLI commands only work on local device. When you become familiar with the nesting structure and syntax of the commands, the CLI provides quick response times and administrative efficiency. +TSG CLI supports two types of commands, TSG specified commands and Linux-like system operational commands. +TSG specified commands help control policy and object, configure and check devices status. The commands related to policy and object control work on all TSG cluster. +The other CLI commands only work on local devices. When you become familiar with the nesting structure and syntax of the commands, the CLI provides quick response times and administrative efficiency. -For more details, please view \textcolor{darkblue}{\textbf{\underline{TSG CLI User Guide}}}. +For more details, please view the \textcolor{darkblue}{\textbf{\underline{TSG CLI User Guide}}}. %\pdfbookmark[1]{TSG Integration API}{TSG Integration API} \section*{\hypertarget{link:TSG Integration API}{TSG Integration API}} @@ -321,7 +323,7 @@ To restrict system access to authorized users, TSG provides role-based access co and users are made members of appropriate roles, thereby acquiring the roles' permissions. This leads to “user-role-permission” authorization model. In TSG system, the relationship between users and roles is one-to-one, and the relationship between roles and functional permissions is one-to-many. That is, a user can only have one role, and a role can be assigned multi-level permissions to different features. For each feature, there are three permission levels: Enable, Read Only and Disable. -When the user has Read Only permission to a feature which normally is related with certain menu, the user cannot click Create, Edit, Delete, Enable and Disable button +When the user has Read Only permission to a feature that normally is related to a certain menu, the user cannot click the Create, Edit, Delete, Enable and Disable button and the detail pages of Policies and Objects are locked. @@ -338,28 +340,25 @@ Perform the following steps to add a LOCAL administrative account on TSG.\\ \begin{description} \item[STEP 1.] Select \textbf{Administration} > \textbf{Admins}, select tab Users and click \textbf{Create}. \item[STEP 2.] Enter a \textbf{Name} to identify the account. - \item[STEP 3.] Enter your \textbf{User Name} which is the login name and \textbf{Password}. + \item[STEP 3.] Enter your \textbf{User Name}, which is the login name and \textbf{Password}. \item[STEP 4.] Please \textbf{Confirm Password}. \item[STEP 5.] If you enable \textbf{Required Password Change}, fill in the \textbf{Required Password Change Period}. - A message will show up when you login after the period expires to enforce you to change to a new password. + A message will show up when you log in after the period expires to force you to change to a new password. \item[STEP 6.] Verify that the account is \textbf{Enabled}. - \item[STEP 7.] Select \textbf{Role} from dropdown list. Each account must and can only have one role, which defines different user permissions. + \item[STEP 7.] Select \textbf{Role} from the dropdown list. Each account must and can only have one role, which defines different user permissions. For details, see \hyperlink{link:Roles and Permissions}{\textcolor{linkblue}{Roles and Permissions}}. \item[STEP 8.] Click \textbf{OK}. - \item[STEP 9.] (\textcolor{gold}{Optional})To verify that you have add a TSG account effectively, you can \textbf{Sign Out} and log into the system with the new account. + \item[STEP 9.] (\textcolor{gold}{Optional})To verify that you have added a TSG account effectively, you can \textbf{Sign Out} and log into the system with the new account. Select \textbf{System Logs} > \textbf{Login Log} and you can view your login information. \end{description} If compliance, audit, or security requirements stipulate that the default administrative account must be removed from your devices, -you can remove it after you create at least one other superuser administrative account. -You cannot remove the default administrative account until you configure at least one other superuser administrative account on the device. +you can block it after you create at least one other superuser administrative account. +You cannot block the default administrative account until you configure at least one other superuser administrative account on the device. Perform the following steps to delete an account on TSG.\\ \begin{description} - \item[STEP 1.] Select tab Users of \textbf{Administration} > \textbf{Admins} and find the item you want to delete in the list. - \item[STEP 2.] Click \textbf{Delete} at the top left. Click \textbf{Delete} to confirm. + \item[STEP 1.] Select tab Users of \textbf{Administration} > \textbf{Admins} and find the item you want to disable in the list. + \item[STEP 2.] Disable the account by turn off the \textbf{Enable} switch. \end{description} -If you wish to temporarily disable an account, you can search it by User Name or Name at the top right search box. -Then click the switch under \textbf{Enable}. Please make sure your account is assigned the proper role with proper permission before you do \textbf{Delete} or \textbf{Enable}. -See \hyperlink{link:Roles and Permissions}{\textcolor{linkblue}{Roles and Permissions}} to find more details. \notemark\textit{And TSG supports 100 concurrent users at present.} @@ -374,8 +373,8 @@ There are two predefined roles in TSG, including:\\ • superreader: read only permissions to all features. -\notemark\textit{If a user’s role permissions enable TSG feature "Administrator-Users-Users" and at least include "Administrator-Users-Roles" Read Only access, -the user can create new users, and modify other users’ role permissions. This ability can affect the access rights of all users, please authorize with caution.} +\notemark\textit{Suppose a user’s role permissions enable TSG feature "Administrator-Users-Users" and at least include "Administrator-Users-Roles" Read Only access. In that case, +the user can create new users, and modify other users’ role permissions. This ability can affect the access rights of all users. Please authorize with caution.} Perform the following to create a new role: @@ -390,7 +389,7 @@ Perform the following to create a new role: \end{description} -\notemark\textit{It is recommended to configure the same access permission for Policies, Objects and System menu, because their data are related. +\notemark\textit{It is recommended to configure the same access permission for the Policies, Objects and System menu, because their data are related. Make sure Devices are enabled before you enable Dashboard, because Devices affects the reading of data for device module in Dashboard.} @@ -399,7 +398,7 @@ Make sure Devices are enabled before you enable Dashboard, because Devices affec \addcontentsline{toc}{subsection}{Enroll LDAP Servers} \label{sec:intro:admin:ldap} -Configuring TSG to connect to a LDAP server enables you to login in LDAP Authentication Mode with LDAP account. Perform the following steps to add a LDAP server on TSG. +Configuring TSG to connect to an LDAP server enables you to login in LDAP Authentication Mode with LDAP account. Perform the following steps to add a LDAP server on TSG. \begin{description} @@ -407,21 +406,21 @@ Configuring TSG to connect to a LDAP server enables you to login in LDAP Authent \item[STEP 2.] Define a \textbf{Name} to specify the LDAP server. \item[STEP 3.] Enter your \textbf{Host} and \textbf{Port} of the LDAP server. \item[STEP 4.] Enter your \textbf{User Name}, which is the administrative user of LDAP server, and \textbf{User Mapper} which specifies the hierarchy of LDAP user. - \item[STEP 5.] Enter the \textbf{Password} of user in STEP 4. Verify that \textbf{Enabled} is on. + \item[STEP 5.] Enter the \textbf{Password} of the user in STEP 4. Verify that \textbf{Enabled} is on. \item[STEP 6.] \textbf{Test Connection}. After success, click \textbf{OK}. - \item[STEP 7.] (\textcolor{gold}{Optional})To verify that you have add a LDAP server effectively, you can view related information on the \textbf{LDAP Server} list page. + \item[STEP 7.] (\textcolor{gold}{Optional})To verify that you have added an LDAP server effectively, you can view related information on the \textbf{LDAP Server} list page. \end{description} -After setting LDAP server, you can login using the LDAP accounts of enrolled LDAP server. -After a LDAP account login TSG first time, the LDAP accounts will show on the tab \textbf{Admins} of \textbf{Administration} > \textbf{Admins}. -The column Source indicates the type of account which is shown as LDAP for LDAP account. +After setting LDAP server, you can log in using the LDAP accounts of the enrolled LDAP server. +After an LDAP account login TSG first time, the LDAP accounts will show on the tab \textbf{Admins} of \textbf{Administration} > \textbf{Admins}. +The column Source indicates the type of account which is shown as LDAP for the LDAP account. The column User name includes the full path for LDAP user, and the value of “uid” is the actual login username on TSG. -When logging into TSG system for the first time with LDAP user, TSG system will assign the user the role supperreader by default. -If the LDAP user requires other role permissions, you need to login by other users who have permission to modify a user’s role to modify it. +When logging into the TSG system for the first time with LDAP user, the TSG system will assign the user the role supperreader by default. +If the LDAP user requires other role permissions, you need to log in by other users who have permission to modify a user’s role to modify it. -In \textbf{Server Profiles} > \textbf{LDAP Server} page, you can view the LDAP Server list. Operator displays who has modified the item, and it can be a LOCAL or LDAP account. +On the \textbf{Server Profiles} > \textbf{LDAP Server} page, you can view the LDAP Server list. Operator displays who has modified the item, and it can be a LOCAL or LDAP account. Select the item you wish to change in the list and click \textbf{Edit} to modify LDAP server information. You can delete or disable the LDAP server and after that you will not be able to log into the system with the LDAP account. @@ -430,9 +429,9 @@ You can delete or disable the LDAP server and after that you will not be able to \addcontentsline{toc}{subsection}{Audit Log} \label{sec:intro:admin:audit} -If you perform an operation which influence the running of TSG, TSG will generate a log about this action. -For example, Audit Log will record the operations of adding or deleting or updating an object or policy, or clearing traffic logs, etc. -You can view \textbf{System Logs} > \textbf{Audit Log} to see details. You can query audit logs within certain time range by ID, Source IP or Target Type. +If you perform an operation that influence the running of TSG, TSG will generate a log about this action. +For example, the Audit Log will record the operations of adding or deleting or updating an object or policy, or clearing traffic logs storage, etc. +You can view \textbf{System Logs} > \textbf{Audit Log} to see details. You can query audit logs within specific time range by ID, Source IP or Target Type. Audit logs can be exported as trace evidence. And when you are editing a policy or an object, you will find a link to audit log about this policy or object. %\pdfbookmark[2]{Mail Server}{Mail Server} @@ -440,20 +439,17 @@ Audit logs can be exported as trace evidence. And when you are editing a policy \addcontentsline{toc}{subsection}{Mail Server} \label{sec:intro:admin:mail} -Configure Mail Server to send mail alerts, which is currently used to send reports. Perform the following to create a Mail server profile: +Configure Mail Server to send mail alerts, which is used to send reports. Perform the following to create a Mail server profile: \begin{description} - \item[STEP 1.] If you perform an operation which influence the running of TSG, TSG will generate a log about this action. - For example, Audit Log will record the operations of adding or deleting or updating an object or policy, or clearing traffic logs. - You can view \textbf{Administration} > \textbf{Audit Logs} to see details. - \item[STEP 2.] Select \textbf{Server Profiles} > \textbf{EMail Servers}. - \item[STEP 3.] For Simple Mail Transport Protocol (SMTP) server (email server), Add a \textbf{Server} and \textbf{Port}. - \item[STEP 4.] Enable \textbf{Need Authentication}. - \item[STEP 5.] Define a \textbf{Name} to identify the SMTP server (1-32characters). This field is just a label and doesn’t have to be the hostname of an existing email server. + \item[STEP 1.] Select \textbf{Server Profiles} > \textbf{EMail Servers}. + \item[STEP 2.] For Simple Mail Transport Protocol (SMTP) server (email server), Add a \textbf{Server} and \textbf{Port}. + \item[STEP 3.] Enable \textbf{Need Authentication}. + \item[STEP 4.] Define a \textbf{Name} to identify the SMTP server (1-32characters). This field is just a label and doesn’t have to be the hostname of an existing email server. Define \textbf{E-mail}, the name to show in the \textbf{From} field of the email. - \item[STEP 6.] Enable \textbf{SSL}. - \item[STEP 7.] Click \textbf{OK} to save the Email server profile. + \item[STEP 5.] Enable \textbf{SSL}. + \item[STEP 6.] Click \textbf{OK} to save the Email server profile. \end{description} diff --git a/content/Monitoring.tex b/content/Monitoring.tex index c61851a..88eb592 100644 --- a/content/Monitoring.tex +++ b/content/Monitoring.tex @@ -5,11 +5,12 @@ \addcontentsline{toc}{chapter}{Monitoring} \label{sec:monitor} -To forestall potential issues and to accelerate incidence response when needed, TSG provides intelligence about traffic and user patterns using customizable and informative reports. -The dashboard, logs, and reports on TSG allow you to monitor activity on your network. You can monitor the logs and filter the information to generate reports with predefined -or customized views. For example, you can use the predefined templates to generate reports on user activities or analyze the reports and logs to interpret unusual behavior -on your network and generate a custom report on the traffic pattern. For a visually engaging presentation of network activity, the dashboard chart, with which you can interact -to find the information you care about. +TSG provides intelligence about traffic and user patterns using customizable and informative reports to forestall potential issues and accelerate incidence response when needed. +The dashboard, logs, and reports on TSG allow you to monitor activity on your network. You can monitor the logs and filter the information to generate reports with predefined or +customized views. For example, you can use the predefined templates to generate reports on user activities or analyze the reports and logs to interpret unusual behavior +on your network and generate a custom report on the traffic pattern. For a visually engaging presentation of network activity, the dashboard chart, +with which you can interact to find the information you care about. + { \color{linkblue} @@ -25,7 +26,10 @@ to find the information you care about. \addcontentsline{toc}{section}{Use the Dashboard} \label{sec:monitor:dashboard} -The TSG Dashboard include two sub menus, Main board and Live Chart. Main board show general TSG system overview, endpoints, policy hits statistics. By default, the Main board shows information of the last 24 hours. However, you can customize time range by clicking the time widget. By default, the statistics on the screen will not refresh automatically. You can turn it on and the Minimum Refresh Time is 15s. The following table describes the Main board widgets: +The TSG Dashboard includes three sub-menus, the Main dashboard, Live Charts, and DoS Threat Map. The main dashboard shows a general TSG overview, endpoints, +policy hits statistics. By default, the Main dashboard shows information of the last 24 hours. However, you can customize the time range by clicking the time widget. +By default, the statistics on the screen will not refresh automatically. You can turn it on, and the Minimum Refresh Time is 15s. +The following table describes the main dashboard widgets: \begin{longtable}{p{0.15\textwidth}|p{0.21\textwidth}|p{0.56\textwidth}} @@ -84,7 +88,7 @@ Each log type records information for a different event type. You can see the fo • Session Records -• Radius Logs +• Radius Records • VoIP Records @@ -100,7 +104,8 @@ Each log type records information for a different event type. You can see the fo Security Events and Proxy Events -• Security Events and Proxy Events data provides the ability to validate rule additions and rule changes and to monitor the time frame when a rule was used. The log gives you the information to determine whether a rule is effective for access enforcement. +• Security Events and Proxy Events data can validate rule additions and rule changes and monitor the time frame when a rule was used. +The log gives you the information to determine whether a rule is effective for access enforcement. Session Records @@ -110,18 +115,21 @@ Session Records TSG Session records display Transaction records when clicking details. Session records also consist of GTP, MPLS information. You can view live sessions in session records, but reports do not include live sessions. -Radius Logs +Radius Records • Remote Authentication Dial-In User Service (RADIUS) is a broadly supported networking protocol that provides centralized authentication and authorization. TSG will keep track of radius traffic information, including Packet Type, Account, Nas IP, Framed IP, ACC Status Type and so on. -You can use the Account information in radius log to create \hyperlink{link:Subscriber ID}{\color{linkblue}{Subscriber ID}} object. +You can use the Account information in the radius records to create \hyperlink{link:Subscriber ID}{\color{linkblue}{Subscriber ID}} object. VoIP Records -• Voice over IP (VoIP) requires faster speeds and time-sensitive, real-time delivery. It mainly uses RTP as its media protocol to deliver multimedia sessions and Session Initiation Protocol (SIP) for signaling. SIP can open dynamic pinholes in the firewall where NAT is enabled. TSG only supports t VoIP calls using SIP for signaling and RTP for delivering audio data. TSG will keep track of VoIP traffic regarding general info, action, source, destination, application, transmission and SIP fields. +• Voice over IP (VoIP) requires faster speeds and time-sensitive, real-time delivery. It mainly uses RTP as its media protocol to +deliver multimedia sessions and Session Initiation Protocol (SIP) for signaling. SIP can open dynamic pinholes in the firewall where NAT is enabled. +TSG only supports t VoIP calls using SIP for signaling and RTP for delivering audio data. +TSG will track VoIP traffic regarding general info, action, source, destination, application, transmission and SIP fields. GTP-C Records @@ -130,13 +138,14 @@ GTP-C Records • GTP-C records is composed of GTP-C version (v1 or v2), International Mobile Equipment Identity (IMEI),International Mobile Subscriber Identity (IMSI), APN and Phone Number. -Please refer to \hyperlink{link:Appendix C Log Fields Description}{\color{linkblue}{Appendix C Logs Fields Description}} for more details. +Please refer to \hyperlink{link:Appendix B Log Fields Description}{\color{linkblue}{Appendix B Logs Fields Description}} for more details. DoS Events -• Dos Events provides detailed statistics on the detected Dos attacks. Currently supports DNS flood, TCP SYN flood, UDP flood and ICMP flood. You can view the Source Countries, Destination Countries, Start Time, End Time, Attack Type, Severity, Sessions/s, Packets/s, Bits/s, etc. +• Dos Events provides detailed statistics on the detected Dos attacks. Currently supports DNS flood, TCP SYN flood, UDP flood and ICMP flood. +You can view the Source Countries, Destination Countries, Start Time, End Time, Attack Type, Severity, Sessions/s, Packets/s, Bits/s, etc. %\pdfbookmark[2]{View Logs}{View Logs} \subsection*{\hypertarget{link:View Logs}{View Logs}} @@ -191,10 +200,11 @@ TSG log filter supports search by multiple fields in AND/OR relation. You can pe \addcontentsline{toc}{subsection}{Export Logs} \label{sec:monitor:log:export} -You can export the contents of a log type to a xlsx file. Firstly, Filter Logs according to time and other conditions. Then, Click the Log Export icon on the right. Wait a few seconds for the file to be generated and downloaded to your local folder. +You can export the contents of a log type to a xlsx file. Firstly, Filter Logs according to time and other conditions. +Then, click the Log Export icon on the right. Wait a few seconds for the file to be generated and downloaded to your local folder. -\notemark\textit{Maximum export log records are 100000.} +\notemark\textit{You can export up to 100,000 records a time..} %\pdfbookmark[1]{View and Manage Reports}{View and Manage Reports} \section*{\hypertarget{link:View and Manage Reports}{View and Manage Reports}} @@ -210,18 +220,21 @@ The purpose of the report is to summarize a large amount of log data. Based on t \notemark\textit{Note that the report itself does not provide any recommendations or give any indication of problems. Users must analyze and consider network problems based on report data and graphs.} -TSG includes a number of predefined datasets, charts and reports. It can basically meet the needs of most users. +TSG includes several predefined datasets, charts and reports. It can basically meet the needs of most users. You can quickly view network activities based on preset reports for event or behavior analysis. -For more details about predefined reports, please refer to \hyperlink{link:Appendix D Predefined Reports}{\color{linkblue}{Appendix D Predefined Reports}}. +For more details about predefined reports, please refer to \hyperlink{link:Appendix C Predefined Reports}{\color{linkblue}{Appendix C Predefined Reports}}. -You can use predefined reports as-is, or you can build custom reports that meet your needs for specific data and actionable tasks. Create and schedule custom reports that show exactly the information you want to see by filtering on conditions and columns to include. You can also include aggregate function for more specific drill down on report data. +You can use predefined reports as-is, or build custom reports that meet your needs for specific data and actionable tasks. +Create and schedule custom reports that show exactly the information you want to see by filtering on conditions and columns to include. +You can also include an aggregate function for more specific drill down on report data. -In order to create purposeful custom reports, you must consider the attributes or key pieces of information that you want to retrieve and analyze. Reports can be sent for email delivery or FTP service if you enable notification when creating a report. +To create purposeful custom reports, you must consider the attributes or key pieces of information that you want to retrieve and analyze. +Reports can be sent for email delivery or FTP service if you enable notification when creating a report. -Report is a set of data placed in orderly charts. A chart contains two elements: +A report is a set of data placed in orderly charts. A chart contains two elements: • The data set is a SELECT query that extracts the specified data from the database. @@ -230,7 +243,8 @@ Report is a set of data placed in orderly charts. A chart contains two elements: • In what format the data is displayed (for example: pie chart, bar chart and table). -Each chart is associated with one dataset. When you generate a report, the dataset associated with each chart extracts data from the logs and populates the charts. Each dataset requires a specific log type. +Each chart is associated with one dataset. The dataset associated with each chart extracts data from the logs and populates the charts when you generate a report. +Each dataset requires a specific log type. To customize a report, you need to follow three steps. @@ -246,18 +260,24 @@ This consideration guides you in making the following selections in a custom rep \begin{description} - \item[STEP 1.] Create a Dataset. Dataset specify what data to extract from logs. + \item[STEP 1.] Create a Dataset. Dataset specifies what data to extract from logs. \begin{enumerate} \item Select \textbf{Reports} > \textbf{Datasets} menu, and click \textbf{Create}. \item Enter a \textbf{Name}. - \item Select a \textbf{Log Type} from the following: Security Event, Proxy Event, Session Records and Radius. Because session records show all traffic that is allowed on your network, select session records. - \item Select the \textbf{Group by}. Fields are the result fields of a dataset collection, include group by fields and metric fields. Fields are the dimensions of your report. This will serve as the X-Axis Data Binding options for Chart Libraries. The report mainly displays client IP, so select client IP. - \item Specify the \textbf{Data Bindings}, add Field, Aggregate, and Label, which serve as legend of your Chart Libraries. Variable consists of log field. You can add at least one or multiple variables. Aggregate is metric function and the available options are sum, min, max, avg, count, and count distinct. Label is the legend that will show in your Chart Libraries. In this case, Field select Sessions; Aggregate select sum; and sessions is filled in for Label by default. - \item (\textcolor{gold}{optional})Specify \textbf{Filter} and \textbf{Having}. Query conditions, only calculated within the data range of a certain field or a few fields that match a specific expression. All lines that do not match the conditions will be excluded from the collections of data. Your selections will automatically generate a SQL. Filter conditions is before data aggregation, and Having is after data aggregation. Since the visiting target is Google, you can set Feild as Http.Domain, set Aggregate as Suffix and set Value to “google.com”. + \item Select a \textbf{Log Type} from the following: Security Event, Proxy Event, Session Records and Radius. + Because session records show all traffic that is allowed on your network, select session records. + \item Select the \textbf{Group by}. Fields are the result fields of a dataset collection, include groups by fields and metric fields. + Fields are the dimensions of your report. This will serve as the X-Axis Data Binding options for Chart Libraries. The report mainly displays client IP, so select client IP. + \item Specify the \textbf{Data Bindings}, add Field, Aggregate, and Label, which serve as the legend of your Chart Libraries. Variable consists of log field. + You can add at least one or multiple variables. Aggregate is a metric function and the available options are sum, min, max, avg, count, and count distinct. + The label is the legend that will show in your Chart Libraries. In this case, Field select Sessions; Aggregate select sum; and sessions is filled in for Label by default. + \item (\textcolor{gold}{optional})Specify \textbf{Filter} and \textbf{Having}. Query conditions, are only calculated within a certain field's data range or a few fields that match a specific expression. + All lines that do not match the conditions will be excluded from the collection of data. Your selections will automatically generate a SQL. + Filter conditions are before data aggregation, and Having is after data aggregation. Since the visiting target is Google, you can set Feild as Http.Domain, set Aggregate as Suffix and set Value to “google.com”. \item Click \textbf{OK}. \end{enumerate} - \item[]Please view the following table for details about new dataset. + \item[]Please view the following table for details about the dataset. \begin{longtable}{p{0.16\textwidth}|p{0.78\textwidth}} \rowcolor{black}\multicolumn{1}{l!\vlinewhite}{\textcolor{white}{Field}} & \textcolor{white}{Description} \\\hline @@ -277,7 +297,7 @@ This consideration guides you in making the following selections in a custom rep • Session Records - • Radius Logs + • Radius Records • VoIP Records @@ -290,20 +310,20 @@ This consideration guides you in making the following selections in a custom rep Click the "+" button to add variable. - \notemark\textit{Field in Group by will serve as the X-Axis Data Binding options for Chart Libraries.} + \notemark\textit{The field in Group by will serve as the X-Axis Data Binding options for Chart Libraries.} - For the detailed meaning of each Log Field, please view \textbf{\hyperlink{link:Appendix C Log Fields Description}{\color{linkblue}{Appendix C Log Fields Description}}}. \\\hline + For the detailed meaning of each Log Field, please view \textbf{\hyperlink{link:Appendix B Log Fields Description}{\color{linkblue}{Appendix B Log Fields Description}}}. \\\hline Data Bindings & Data Bindings are the result fields of a dataset collection, include group by log fields. - Click the "+" button to add field, aggregate, and description information. + Click the "+" button to add a field, aggregate, and description information. \begin{itemize} \item Field: log fields - For the detailed meaning of each Log Field, please view \textbf{\hyperlink{link:Appendix C Log Fields Description}{\color{linkblue}{Appendix C Log Fields Description}}}. + For the detailed meaning of each Log Field, please view \textbf{\hyperlink{link:Appendix B Log Fields Description}{\color{linkblue}{Appendix B Log Fields Description}}}. \item Aggregate: Metric function, Select a value from the dropdown list. The available options vary depending on the selected variable. \begin{itemize} \item sum \item min \item max \item avg \item count \item Count Distinct @@ -553,7 +573,7 @@ This consideration guides you in making the following selections in a custom rep Mail.To\\ Mail.Subject\\ Quic.SNI} \\ \arrayrulecolor{black} \hline - \tabincell{l}{Radius\\ Logs} & \tabincell{l}{Nas IP\\ + \tabincell{l}{Radius\\ Records} & \tabincell{l}{Nas IP\\ Framed IP\\ Subscriber ID\\ Receive Time} & \tabincell{l}{Framed IP\\ @@ -848,7 +868,7 @@ This consideration guides you in making the following selections in a custom rep \item Click \textbf{OK}. \end{enumerate} - \item[] Please view the following table for details about new chart library. + \item[] Please view the following table for details about the chart library. \begin{longtable}{p{0.16\textwidth}|p{0.78\textwidth}} @@ -856,14 +876,14 @@ This consideration guides you in making the following selections in a custom rep Name & Enter a name for the dataset.\\\hline Description & Enter a description of the chart. \\\hline Dataset & Select a dataset from the dropdown list. \\\hline - Chart Type & Select a graph type from the dropdown list, one of Table, Bar, Pie, Line and Area. This selection affects the rest of the available selections. + Chart Type & Select a graph type from the dropdown list, one of Table, Bar, Pie, Line, and Area. This selection affects the rest of the available selections. - \notemark\textit{For Line and Area type, Receive Time field must be chosen as one of Group By – Variable in selected dataset to generate meaningful report.} \\\hline + \notemark\textit{For Line and Area type, Receive Time field must be selected as one of Group By – Variable in the selected dataset to generate a meaningful report.} \\\hline \tabincell{l}{Data\\ Bindings} & The data bindings vary depending on the chart type selected. \\\hline \multicolumn{2}{l}{\textbf{Table}}\\\hline Table Type & Regular or Drilldown. \\\hline - Add Column & Click to add Column. Up to 15 columns can be added for a Regular table. + Add Column & Click to add Column. Up to 15 columns can be added to a Regular table. Drilldown tables have three columns.\\\hline @@ -894,7 +914,7 @@ This consideration guides you in making the following selections in a custom rep \item Format: Select a format from the dropdown list: Bandwidth, Counter, Default and Percentage. \item Label: Enter a label for the axis. \end{itemize} \\\hline - Bundle rest into “Others” & Other items are bundled into the Others category if check this option. This reflects in ‘X’ Label of a Bar chart. \\\hline + Bundle rest into “Others” & Other items are bundled into the Others category if you check this option. This reflects in the ‘X’ Label of a Bar chart. \\\hline \multicolumn{2}{l}{\textbf{Pie}}\\\hline Category & \begin{itemize} \item Data Binding: Select a value from the dropdown list. The available options vary depending on the selected dataset. @@ -907,7 +927,7 @@ This consideration guides you in making the following selections in a custom rep \item Format: Select a format from the dropdown list: Bandwidth, Counter, Default and Percentage. \item Label: Enter a label for the axis. \end{itemize} \\\hline - Bundle rest into “Others” & Other items are bundled into the Others category if check this option. This reflects in Category of a Pie chart.\\\hline + Bundle rest into “Others” & Other items are bundled into the Others category if you check this option. This reflects in the Category of a Pie chart.\\\hline \multicolumn{2}{l}{\textbf{Line} or \textbf{Area}}\\\hline X-Axis & \begin{itemize} \item Data Binding: Select a value from the dropdown list. The available options vary depending on the selected dataset. The selected dataset should include time field. @@ -918,8 +938,8 @@ This consideration guides you in making the following selections in a custom rep \end{itemize} \\\hline Lines & \begin{itemize} \item Data Binding: Select a value from the dropdown list. The available options vary depending on the selected dataset. - \item Format: Select from the dropdown list, one of: Bandwidth, Counter and Default. - \item Type: Select from the dropdown list, one of: Line Up and Line Down. + \item Format dropdown list: Select one from Bandwidth, Counter and Default. + \item Type dropdown list: Select one from Line Up and Line Down. \notemark\textit{If data in Y-Axis has different units, please select Line Up and Line Down respectively.} @@ -954,15 +974,17 @@ This consideration guides you in making the following selections in a custom rep \item (\textcolor{gold}{Optional})If you \textbf{Enable Notification}, you can select FTP or Email as Output Profile. \begin{itemize} \item Email: Enter recipient's e-mail. - \item FTP: Enter server, port, username, password and directory. + \item FTP: Enter server, port, username, password, and directory. \end{itemize} \item Select the \textbf{Chart Library} you just created. Enter number and select time unit for \textbf{Time Granularity}. The available options vary depending on the selected chart, only applies to charts with time parameters. This will affect the data density of X-Axis. Here, let it grey by default since it is a Bar chart. - \item (\textcolor{gold}{optional})Add \textbf{Filter} if you have related requirements. You can apply log message filters to reports and charts. If add multiple charts, the filter field is limited to the common fields of multiple charts. Here don’t add any Filter. + \item (\textcolor{gold}{optional})Add \textbf{Filter} if you have related requirements. You can apply log message filters to reports and charts. + If you add multiple charts, the filter field is limited to the common fields of multiple charts. Here don’t add any Filter. \item Click \textbf{OK}. - \item Wait a while for the generation of the report. Click button (\mbox{$\blacktriangleright$}) at the left of the report row to get the details of the result. After the status reach 100\%, click \textbf{View} and you’ll see: firstly, the overviews of traffic statistics, then the traffic trend in the time period and finally the results of your custom selections. + \item Wait a while for the generation of the report. Click the button (\mbox{$\blacktriangleright$}) at the left of the report row to get the details of the result. + After the status reaches 100\%, click \textbf{View} and you’ll see: firstly, the overviews of traffic statistics, then the traffic trend in the time period and finally the results of your custom selections. \end{enumerate} %\[\blacktriangleright\] - \item[] Please view the following table for details about new report. + \item[] Please view the following table for details about the report. \begin{longtable}{p{0.18\textwidth}|p{0.76\textwidth}} \rowcolor{black}\multicolumn{1}{l!\vlinewhite}{\textcolor{white}{Field}} & \textcolor{white}{Description} \\\hline Name & Enter a name for the dataset.\\\hline @@ -977,7 +999,7 @@ This consideration guides you in making the following selections in a custom rep \end{itemize} \\\hline \tabincell{l}{Enable\\ Schedule} & Select to enable schedules.\\\hline Schedule & Select a schedule from the dropdown list to run the report.\\\hline - \tabincell{l}{Enable\\ Notification} & Setting report notification profile.\\\hline + \tabincell{l}{Enable\\ Notification} & Set report notification profile.\\\hline Output Profile & Select the output profile from the dropdown list: \begin{itemize} \item Email: Enter recipient's e-mail. @@ -986,7 +1008,7 @@ This consideration guides you in making the following selections in a custom rep Chart Library & Click the button “+” and select a chart from the slide page Chart Library. \\\hline \tabincell{l}{Time\\ Granularity} & Enter number and select time unit. The available options vary depending on the selected chart, only applies to charts with time parameters.\\\hline Add Chart & Click the "+ Add Chart" button to add more charts.\\\hline - Filter & You can apply log message filters to reports and charts. If add multiple charts, the filter field is limited to the common fields of multiple charts. + Filter & You can apply log message filters to reports and charts. If you add multiple charts, the filter field is limited to the common fields of multiple charts. Click the "+ Add Condition" button to add log Field, Operator, and Value. @@ -1007,14 +1029,14 @@ You can view the create time of a result for the report, when you click button ( (switch to button (\mbox{$\blacktriangledown$}) to indicate folding back) at the left of a row to unfold the report details. Create time shows the time that the report generated this cycle according to the schedule, not the time you configure the report. The reports are displayed in descending order by create time. For example, you create a report with Time Period “today” -and Enable Schedule “Daily, Start Time 14:00 \& End Time 18:00” at 9:00 am. In this case, the first result of report -which is shown in (\mbox{$\blacktriangledown$}) will be created at 14:00 today with Create Time: YYYY-MM-DD 14:00. +and Enable Schedule “Daily, Start Time 14:00 \& End Time 18:00” at 9:00 am. In this case, the first report +result shown in (\mbox{$\blacktriangledown$}) will be created at 14:00 today with Create Time: YYYY-MM-DD 14:00. Meanwhile the percentage which indicates the ready status of the result will reach 100\% after 24:00:00 since the report configuration was set Time Period as “today”. And you can get a new result at the 14:00 and view the report after midnight every day from now on. The report list displays Last Modified Time and Last Execution Time and you can click the column to make the list display in descending or ascending order.} -For more details about reports best practice, please refer to \hyperlink{link:Make Your Own Reports}{\color{linkblue}{Appendix F Make Your Own Reports}} +For more details about reports best practice, please refer to \hyperlink{link:Make Your Own Reports}{\color{linkblue}{Appendix E Make Your Own Reports}} Advantages of TSG report: @@ -1029,18 +1051,20 @@ Advantages of TSG report: \addcontentsline{toc}{section}{Take Packet Captures} \label{sec:monitor:packet} -TSG captures packets for all traffic or for specific traffic based on filters that you define. For example, you can configure TSG to only capture packets to and from a specific source and destination IP address or port. You may need to take packet captures when creating a custom application, because you have to gather information about the application. +TSG captures packets for all traffic or for specific traffic based on filters that you define. +For example, you can configure TSG only to capture packets to and from a specific source and destination IP address or port. +You may need to take packet captures when creating a custom application because you have to gather information about the application. \begin{description} \item[STEP 1.] Before you start a packet capture, identify the attributes of the traffic that you want to capture. - For example, to determine the source IP address, and the destination IP address for traffic between two systems. + For example, to determine the source IP address and the destination IP address for traffic between two systems. If you wish to troubleshoot a Security Event Log, go to \textbf{Logs} > \textbf{Security Event Log} and locate the traffic log for the two systems. Click the \textbf{Log ID} to view the Client IP, Client Port, Server IP, Server Port. \item[STEP 2.] Set packet capture conditions, so TSG only captures traffic you are interested in. \begin{enumerate} - \item Select \textbf{Setting} > \textbf{Trouble Shooting} menu, and select Packet Capture tab. + \item Select \textbf{Setting} > \textbf{Trouble Shooting} menu and select Packet Capture tab. \item Enter a descriptive \textbf{Name}. \item Select \textbf{Address Type}, IPv4 or IPv6. \item Enter \textbf{Client IP}, \textbf{Client Port}, \textbf{Server IP}, \textbf{Server Port}. @@ -1049,7 +1073,8 @@ TSG captures packets for all traffic or for specific traffic based on filters th \item Enter \textbf{Captured Number} and \textbf{Capture Duration}. \item Click \textbf{OK}. \end{enumerate} - \item[STEP 3.] Packet Capture will automatically start after you created it. Generate traffic that matches the filters that you defined. It will stop after your capture duration expires, or you can turn it off manually after TSG captures the data that you want to analyze. + \item[STEP 3.] Packet Capture will automatically start after you create it. Generate traffic that matches the filters that you defined. + It will stop after your capture duration expires, or you can turn it off manually after TSG captures the data you want to analyze. \item[STEP 4.] Click the triangle icon to the left in the list to expand the item, then click \textbf{Download} to download packets or \textbf{Delete} to delete packets. \item[STEP 5.] View the packet capture files using a network packet analyzer. \end{description} \ No newline at end of file diff --git a/content/Objects.tex b/content/Objects.tex index 54a932f..ebf5308 100644 --- a/content/Objects.tex +++ b/content/Objects.tex @@ -6,7 +6,7 @@ \label{sec:objects} A policy object consists of one item or a set of collective items that groups discrete identities such as IP addresses, URLs, applications, or accounts. -One policy object is allowed to reference same type objects as subordinate objects. Typically, when creating a policy object, you group objects that require similar permissions in policy. +One policy object is allowed to reference the same type of objects as subordinate objects. Typically, when creating a policy object, you group objects that require similar permissions in thebibliography policy. For example, you can group the set of server IP addresses as an address group policy object and reference the address group in the security policy. By grouping objects, you can significantly reduce the administrative overhead in creating policies. An object group is also considered as an object when referenced. You can reference the object group in policy instead of manually selecting multiple objects one at a time. @@ -22,10 +22,11 @@ You can reference the object group in policy instead of manually selecting multi } \clearpage -You can create an object or create an object group. A policy object consists of one or multiple items, while an object group is composed of one or multiple subordinate objects. One object is allowed to reference same type objects as subordinate objects. +You can create an object or create an object group. A policy object consists of one or multiple items, while an object group is composed of one or multiple subordinate objects. +One object is allowed to reference the same type of objects as subordinate objects. -To view object usages, please click column \textbf{Reference Count} of object list. +To view object usages, please click the column \textbf{Reference Count} of the object list. Then you will see\\ @@ -33,7 +34,7 @@ Then you will see\\ • The group object that references the object. -Click the Graph button, you will see an object relationship graph. Policies, Proxy TCP Options, and parent objects that reference current object are displayed in the graph. +Click the Graph button. You will see an object relationship graph. Policies, Proxy TCP Options, and parent objects that reference the current objects are displayed in the graph. As well as application signatures, which reference IP Address object when creating signatures with ip.src and ip.dst as Traffic Attribute. For more details, see \textbf{Advanced Setting} > \textbf{\hyperlink{link:Proxy TCP Option}{\color{linkblue}{Proxy TCP Option}}} and \textbf{Objects} > \textbf{Applications} > \textbf{\hyperlink{link:Signatures}{\color{linkblue}{Signatures}}}. @@ -41,10 +42,11 @@ For more details, see \textbf{Advanced Setting} > \textbf{\hyperlink{link:Proxy Click the solid circle to unfold the referenced ancient object and click the hollow circle to fold the picture. -\notemark\textit{Note that direct or indirect self-reference is prohibited, i.e. A->A or A->B->A. Within the TSG system, object references can have up to six levels (from root node to leaf node).} +\notemark\textit{Note that direct or indirect self-reference is prohibited, i.e., A->A or A->B->A. Within the TSG system, object references can have up to six levels (from the root node to leaf node).} -You can reference objects and object groups in your policies. Thus, you reduce the administrative overhead in creating policies. You can identify an object by its name or ID number. The object ID never changes even if you modify the object, such as when you change the object name. +You can reference objects and object groups in your policies. Thus, you reduce the administrative overhead in creating policies. You can identify an object by its name or ID number. +The object ID never changes even if you modify the object, such as when changing the object name. %\pdfbookmark[1]{Objects Type}{Objects Type} @@ -52,22 +54,26 @@ You can reference objects and object groups in your policies. Thus, you reduce t \addcontentsline{toc}{section}{Objects Type} \label{sec:objects:type} -You can create the following policy objects on TSG. A policy object consists of one or multiple items, while an object group is composed of one or multiple subordinate objects. +You can create the following policy objects on TSG. A policy object consists of one or multiple items, while an object group is composed of multiple subordinate objects. \begin{longtable}{p{0.21\textwidth}|p{0.74\textwidth}} \rowcolor{black}\multicolumn{1}{l!{\vlinewhite}}{\textcolor{white}{Policy Object}} & \textcolor{white}{Description} \\\hline - \tabincell{l}{IP Addresses/\\ Address Group} & IP Address contains three sub-types: IP, geography and IP Learning. The IP object can include an IPv4 or IPv6 address (single IP, range). Address Group Allow you to group specific source or destination addresses that require the same policy enforcement. You can then group a collection of address objects of the same type to create an address object group. IP learning type is not allowed to create group.\\ \hline - \tabincell{l}{FQDNs/\\FQDN Group} & That is fully qualified domain name to identify traffic. Using an FQDN object or FQDN object group reduces issues in environments where the host is subject to dynamic IP address changes. Support exactly matching and suffix matching.\\\hline + \tabincell{l}{IP Addresses/\\ Address Group} & IP Address contains three sub-types: IP, geography, and IP Learning. The IP object can include an IPv4 or IPv6 address (single IP, range). + Address Group allows you to group specific source or destination addresses that require the same policy enforcement. + You can then group a collection of address objects of the same type to create an address object group. IP learning type is not allowed to create a group.\\ \hline + \tabincell{l}{FQDNs/\\FQDN Group} & That is a fully qualified domain name to identify traffic. Using an FQDN object or FQDN object group reduces issues in environments where the host is subject to dynamic IP address changes. Support exactly matching and suffix matching.\\\hline \tabincell{l}{Subscriber IDs/\\Subscriber ID\\ Group} & Allow you to create a list of Subscriber ID for RADIUS traffic. Support exactly matching only. \\\hline - \tabincell{l}{HTTP Signatures/\\HTTP Signature\\ Group} & Allow you to add keyword in Request as User-Agent and Cookie, in Response as Set-Cookie and Content-Type. Support exactly matching, prefix matching, suffix matching and substring matching. \\\hline - \tabincell{l}{Keywords/\\Keyword Group} & A string you define that can be added as a filter in policy. You can enable Hex Mode. Support exactly matching, prefix matching, suffix matching and substring matching. + \tabincell{l}{HTTP Signatures/\\HTTP Signature\\ Group} & Allow you to add the keyword in Request as User-Agent and Cookie, in Response as Set-Cookie and Content-Type. + Support exactly matching, prefix matching, suffix matching, and substring matching. \\\hline + \tabincell{l}{Keywords/\\Keyword Group} & A string you define that can be added as a filter in policy. You can enable Hex Mode. + Support exactly matching, prefix matching, suffix matching, and substring matching. - \notemark\textit{Support maximum 8 substrings for AND expression. And when adding keyword for other objects, the same rule applies.}\\\hline - \tabincell{l}{URLs/\\URL Group} & A Uniform Resource Locator, colloquially termed a web address, is a reference to a web resource that specifies its location on a computer network and a mechanism for retrieving it. A typical URL could have the form http://www.example.com/index.html, which indicates a protocol (http), a hostname (www.example.com), and a file name (index.html). Here the protocol is not allowed when adding. Support exactly matching, prefix matching, suffix matching, and substring matching \\\hline - \tabincell{l}{Categories/\\Category Group} & Category classifies websites based on site content, features, and safety. Once created, the category can be selected as a filter of a policy. This means that a policy will only allow or block requests that match the category. For details, please refer to \hyperlink{link:Categories}{\color{linkblue}{Categories}}.\\\hline - \tabincell{l}{Accounts/\\Account Group} & Stores the account information for your application. For example, you can add your email account as a filter when creating a policy using MAIL application. Support exactly matching, prefix matching, suffix matching and substring matching. \\\hline + \notemark\textit{Support maximum 8 substrings for AND expression.}\\\hline + \tabincell{l}{URLs/\\URL Group} & A Uniform Resource Locator, colloquially termed a web address, refers to a web resource that specifies its location on a computer network and a mechanism for retrieving it. A typical URL could have the form http://www.example.com/index.html, which indicates a protocol (http), a hostname (www.example.com), and a file name (index.html). Here the protocol is not allowed when adding. Support exactly matching, prefix matching, suffix matching, and substring matching \\\hline + \tabincell{l}{Categories/\\Category Group} & Category classifies websites based on their content, features, and safety. Once created, the category can be selected as a filter of a policy. This means that a policy will only allow or block requests that match the category. For details, please refer to \hyperlink{link:Categories}{\color{linkblue}{Categories}}.\\\hline + \tabincell{l}{Accounts/\\Account Group} & For example, you can add your email account as a filter of mail protocol. Account object supports exactly matching, prefix matching, suffix matching, and substring matching. \\\hline \tabincell{l}{Mobile Identities/\\Mobile Identity\\ Group} & Consists of IMSI and Phone Number. Both are string type, composed of decimal numbers with maximum 15 digits. IMSI only supports prefix matching. Phone Number supports exactly matching, prefix matching, suffix matching and substring matching. \\\hline \tabincell{l}{APNs/\\APN Group} & Access Point Name of GTP users. @@ -116,35 +122,45 @@ You can perform the following to create an object. You can view detailed information about the object you just created. To edit and delete the object, find the item you want to edit or delete in the list. Click \textbf{Edit} or \textbf{Delete} at the top left. -You can export the contents of objects to a txt or csv file. First, search objects according to ID, Name, Keywords, Sub Object (ID), Description, Operator, Time and other conditions. Then, Click the Export icon on the right to download and save the file to your local folder. +You can export the contents of objects to a txt or csv file. First, search objects according to ID, Name, Keywords, Sub Object (ID), Description, Operator, Time and other conditions. +Then, click the Export icon on the right to download and save the file to your local folder. -You can also import objects by clicking the import icon. Only csv and txt formats can be uploaded. Duplicated items are automatically omitted when you import objects. You can take the exported file as template for import. In addition, the exported file of object can also be used to back up the object of the current system. After export, it can be directly imported into the same version (or the official version of TSG compatible with the exported version). +You can also import objects by clicking the import icon. Only csv and txt formats can be uploaded. Duplicated items are automatically omitted when you import objects. +You can take the exported file as a template for import. In addition, the exported file of object can also be used to back up the object of the current system. After export, it can be directly imported into the same version (or the official version of TSG compatible with the exported version). -\notemark\textit{The TSG system only provides the export of objects with items, but object group with subordinate object are not allowed to be exported.} +\notemark\textit{The TSG system only provides the export of objects with items, but object group with subordinate objects are not exported.} -TSG allows searching objects based on ID, Name, Description, Operator, Time etc. +TSG allows searching objects based on ID, Name, Description, Operator, Time, etc. -Select the checkbox for objects in the list and Click \textbf{Watch} at the bottom to add to Watch List. And then you can click the star icon in the bottom right and select Object tab to view the Watch List. You can search objects by ID and Name in the list. +Select the checkbox for objects in the list and Click \textbf{Watch} at the bottom to add to Watch List. And then you can click the star icon in the bottom right and +select the Object tab to view the Watch List. You can search objects by ID and Name in the list. %\pdfbookmark[1]{IP Addresses}{IP Addresses} \section*{\hypertarget{link:IP Addresses}{IP Addresses}} \addcontentsline{toc}{section}{IP Addresses} \label{sec:objects:ip} -An address object is a set of IP addresses that you can manage in one place and then use in multiple policy rules. You can reference the same address object in multiple policy rules without needing to specify the same individual addresses in each use. Furthermore, create an address object on TSG to group IP addresses, and then reference the address object in a policy rule to avoid having to individually specify multiple IP addresses in the rule. For example, you can create an address object that specifies an IPv4 address range and then reference the address object in a Security policy rule. +An address object is a set of IP addresses that you can manage in one place and then use in multiple policy rules. You can reference the same address object in multiple policy rules without +specifying the same individual addresses in each use. Furthermore, create an address object on TSG to group IP addresses and then reference the address object in a policy rule to +avoid having to specify multiple IP addresses in the rule individually. For example, you can create an address object that specifies an IPv4 address range +and then reference the address object in a Security policy rule. -There are three Sub Types of address object: IP, Geography and IP Learning. IP Sub Type include an IPv4 or IPv6 address (single IP, range). Geography are IP addresses organized by geographical scope. You can select a country or a city as an item. For more details, please see \textbf{\hyperlink{link:IP Libraries}{\color{linkblue}{IP Libraries}}}. IP Learning can learn from FQDNs whose host IP addresses change frequently. +There are three Sub Types of address object: IP, Geography and IP Learning. IP Sub Type include an IPv4 or IPv6 address (single IP, range). Geography are IP addresses organized by geographical scope. +You can select a country or a city as an item. For more details, please see \textbf{\hyperlink{link:IP Libraries}{\color{linkblue}{IP Libraries}}}. +IP Learning can learn from FQDNs whose host IP addresses change frequently. \notemark\textit{At present, the system supports geography selection at both national and urban levels.} -Initially, the IP Learning object is empty and contains no addresses. When the client tries to resolve a FQDN address, TSG will analyze the DNS response. The IP address(es) contained in the answer section of the DNS response will be added to the corresponding IP Learning object. When the IP Learning gets the resolved IP addresses, TSG loads the addresses into policy for traffic matching. At any given time, a single IP Learning object may have up to 10000 IP addresses. +Initially, the IP Learning object is empty and contains no addresses. When TSG sees the client communicates with a server with targeted FQDN, e.g., HTTP Host and SSL SNI, +TSG will add the IP to the corresponding IP Learning object. When the IP Learning gets the resolved IP addresses, TSG loads the addresses into policy for traffic matching. +At any given time, a single IP Learning object may have up to 10000 IP addresses. You can perform the following to create an IP object: @@ -159,11 +175,13 @@ You can perform the following to create an IP object: \item[STEP 7.] (\textcolor{gold}{Optional})If you select \textbf{IP Learning} as your sub Type, you need to fill in the following fields. \begin{enumerate} \item Add one or more FQDNs for \textbf{Learn from FQDNs}. - \item Select HTTP, SSL from drop-down for \textbf{Learn from Protocols}. + \item Select HTTP, SSL from the drop-down for \textbf{Learn from Protocols}. \item Select 1 Degree or 2 Degrees for \textbf{Learning Depth}. - \item Specify \textbf{Aging Times}. IP domain name learning after a certain period of time, the value density will be reduced. That is to say, the IP addresses obtain between the first discovery and the last discovery of the service IP returned by the domain name. Aging Times Cannot be 0, exceed maximum 2147483647, and be empty. - \item Specify \textbf{Vote Clients Number}. Total number of independent client IP supporting IP learning. Cannot be 0, exceed maximum 10000, and be empty. - \item Specify \textbf{Learned IP limits}. Maximum number of IP addresses to learn. Cannot be 0, exceed maximum 10000, and be empty. + \item Specify \textbf{Aging Times}. IP domain name learning after a certain period of time, the value density will be reduced. + The IP addresses obtained between the first and last discovery of the service IP are returned by the domain name. + Aging Times Cannot be 0, exceed a maximum 2147483647 hours, and be empty. + \item Specify \textbf{Vote Clients Number}. The total number of independent client IP agree with the FQDN-IP mapping. It should be a number between 0 and 10,000. + \item Specify \textbf{Learned IP limits}. Maximum number of IP addresses to learn. It should be a number between 0 and 10,000.. \end{enumerate} \item[STEP 8.] (\textcolor{gold}{Optional})Enter a \textbf{Description} or leave the value set to empty. Description can have up to 1024 characters. \item[STEP 9.] Click \textbf{OK}. @@ -183,7 +201,7 @@ The following steps guide you to Create Geography: \item[STEP 1.] Select \textbf{System} > \textbf{IP Libraries}, and click \textbf{Create}. \item[STEP 2.] Create Geography. \begin{enumerate} - \item Select geography \textbf{Type} between Country and City, if you select Country, you need to select \textbf{Continent} field. Here, select City as an example. + \item Select geography \textbf{Type}. If you select Country and Region, you need to choose \textbf{Continent} field. Here, choose City as an example. \item Select \textbf{Country} from slide page Geographic Locations. \item Add \textbf{Geo Name ID}. \item Specify \textbf{City}. The City name is case-sensitive and can have up to 128 characters. @@ -200,7 +218,7 @@ You can \textbf{Edit} or \textbf{Delete} imported Geography. When editing built- \addcontentsline{toc}{section}{Subscriber IDs} \label{sec:objects:subscriber} -You can create Subscriber ID to keep track of Radius traffic user. After you create Subscriber ID object, you can use it in your policy rule and Active Subscriber ID will be shown in your dashboard. +You can create a Subscriber ID to keep track of Radius traffic user. After you create the Subscriber ID object, you can use it in your policy rule, and active Subscriber ID will be shown in your dashboard. You can perform the following to create a Subscriber ID: @@ -219,7 +237,7 @@ You can perform the following to create a Subscriber ID: \addcontentsline{toc}{section}{Categories} \label{sec:objects:category} -Category classifies websites based on site content, features, safety and so on. TSG firewall has built-in categories.TSG allows users to create user-defined categories. One FQDN may belong to multiple categories. +Category classifies websites based on their content, features, safety, and so on. TSG firewall has built-in categories.TSG allows users to create user-defined categories. One FQDN may belong to multiple categories. Please refer to \hyperlink{link:Appendix A Built-in Category}{\color{linkblue}{Appendix A Built-in Category}} for more details. @@ -229,17 +247,23 @@ Please refer to \hyperlink{link:Appendix A Built-in Category}{\color{linkblue}{A \addcontentsline{toc}{section}{Applications} \label{sec:objects:application} -An application is any program, or group of programs, that is designed for the end user to perform an activity. Applications enables visibility into the applications on the network, so you can category them and understand their characteristics and their relative risk. This application knowledge allows you to create and enforce security policy rules to allow and inspect applications and deny unwanted applications. When you use policy rules to control traffic, applications can classify traffic without any additional configuration. +An application is any program or group of programs designed for the end-user to perform an activity. Application identification enables visibility into the applications +on the network to categorize them and understand their characteristics and relative risk. This application knowledge allows you to create and enforce security policy rules to +allow and inspect applications and deny unwanted applications. When you use policy rules to control traffic, applications can classify traffic without any additional configuration. -AppSketch is a traffic classification system available in TSG firewalls, determines what an application is irrespective of port, protocol, encryption or any other evasive tactic. It applies multiple classification mechanisms to your network traffic stream to accurately identify applications. These classification mechanisms include application signatures, application protocol decoding, and heuristics. +AppSketch is a traffic classification system available in TSG firewalls, determines what an application is irrespective of port, protocol, encryption, or any other evasive tactic. +It applies multiple classification mechanisms to your network traffic stream to identify applications accurately. +These classification mechanisms include application signatures, application protocol decoding, and heuristics. -The firewall identifies application with predefined and customized signature. The TSG firewall uses protocol decoding in the content inspection stage to determine one application from the other. After the firewall identifies the session application, security policy can be enforced as configured. The identified application as well as IP, port, protocol, Subscriber ID, FQDN and URL in the session is used as key to find rule match. +The firewall identifies applications with predefined and customized signatures. The TSG firewall uses protocol decoding in the content inspection stage to determine one application from the other. +After the firewall identifies the session application, the security policy can be enforced as configured. +The identified application and IP, port, protocol, Subscriber ID, FQDN and URL in the session are used as key to find rule match. -When creating a security policy, there are built-in protocols and well-known Applications and customized Applications in the list. -You can search the application you want to fill in. You can also use application selector and group as objects in policy. +When creating a security policy, there are built-in protocols and well-known Applications, and customized Applications in the list. +You can search the application you want to fill in. You can also use the application selector and group as objects in the policy. TSG reports enable you to show statistics about bytes sent and received based on Application Label and IP address. See \textbf{Monitoring} > \textbf{View and Manage Reports} for details. %\pdfbookmark[2]{Signatures}{Signatures} @@ -247,7 +271,10 @@ TSG reports enable you to show statistics about bytes sent and received based on \addcontentsline{toc}{subsection}{Signatures} \label{sec:objects:application:signature} -In TSG, application is composed of App ID, Properties and Signature Sequence. App ID is the unique identification of Application. Application Properties include Category, Subcategory, Technology, Risk and Characteristics. You can create Application Selector based on application Properties. Signature refers to the expression of network traffic attributes in a specific scope. Traffic Attribute is a piece of information which obtained from network transfer unit. Signature Sequence is the signatures of the application that appear in a certain order. There is a sequential "and" relationship between signatures. +In TSG, the application is composed of App ID, Properties and Signature Sequence. App ID is the unique identification of Application. +Application Properties include Category, Subcategory, Technology, Risk and Characteristics. You can create Application Selector based on application Properties. +Signature refers to the expression of network traffic attributes in a specific scope. Traffic Attribute is a piece of information which is obtained from network transfer unit. +Signature Sequence is the signatures of the application that appear in a certain order. There is a sequential "and" relationship between signatures. %\begin{figure}[htb] @@ -273,20 +300,20 @@ In TSG, application is composed of App ID, Properties and Signature Sequence. Ap The following demonstrates how to create a customized signature. \begin{description} - \item[STEP 1.] Select \textbf{Objects} > \textbf{Applications}, select tab \textbf{Signatures} and click \textbf{Create}. + \item[STEP 1.] Select \textbf{Objects} > \textbf{Applications}, select tab \textbf{Signatures}, and click \textbf{Create}. \item[STEP 2.] Add a \textbf{Name}. The name is case-sensitive and can have up to 128 characters. \item[STEP 3.] Specify a \textbf{Color}. \item[STEP 4.] (\textcolor{gold}{Optional})Enter a \textbf{Comment}. \item[STEP 5.] Add \textbf{Conditions}. You can add one or multiple conditions. The relation between New Conditions is “and”, and the relation within existing condition is “or”. - Select \textbf{Attribute Name} and this affects the rest of the available selections. Fill in the corresponding content. Note that valid keywords length is from 4 to 1024 bytes. + Select \textbf{Attribute Name}, and this affects the rest of the available selections. Fill in the corresponding content. Note that valid keywords length is from 4 to 1024 bytes. \item[STEP 6.] Click \textbf{OK}. \end{description} \notemark\textit{Within the same signature, attributes from different protocols are not allowed to serve as Conditions, except for TCP/IP/General Attributes.} -You can \textbf{Edit} or \textbf{Delete} your signature and reference one or multiple signatures when creating application object. -You can also import or export user-defined signatures in json format. +You can \textbf{Edit} or \textbf{Delete} your signature and reference one or multiple signatures when creating an application object. +You can also import or export user-defined signatures in JSON format. %\pdfbookmark[2]{Customized Attributes}{Customized Attributes} @@ -294,7 +321,7 @@ You can also import or export user-defined signatures in json format. \addcontentsline{toc}{subsection}{Customized Attributes} \label{sec:objects:application:attribute} -The traffic attribute is the information obtained after the analysis of the network transmission unit. The attributes used by the App recognition can be found in \textbf{Appendix F Best Practices} > \textbf{\hyperlink{link:Custom Application}{\color{linkblue}{Custom Application}}}. +The traffic attribute is the information obtained after the analysis of the network transmission unit. The attributes used by the App recognition can be found in \textbf{Appendix E Best Practices} > \textbf{\hyperlink{link:Custom Application}{\color{linkblue}{Custom Application}}}. You can also upload a Lua script to create your own traffic attributes. @@ -305,17 +332,18 @@ The following is a basic example of how to create a customized attribute. \begin{description} \item[STEP 1.] Select \textbf{Objects} > \textbf{Applications}, select tab \textbf{Customized Attributes} and click \textbf{Create}. \item[STEP 2.] Add a \textbf{Name}. The name is case-sensitive and can have up to 128 characters. - \item[STEP 3.] Select \textbf{Parent Attribute} from traffic attribute list. - \item[STEP 4.] Please upload \textbf{Uploaded File}. - \item[STEP 5.] Select \textbf{Attribute Type} from: Bool, Numeric Value, and String. + \item[STEP 3.] Select \textbf{Parent Attribute}. + \item[STEP 4.] Please upload an LUA script after click \textbf{Uploaded File}. + \item[STEP 5.] Select \textbf{Attribute Type} from Bool, Numeric Value, and String. \item[STEP 6.] Specify \textbf{Maximum Execution Time}. \item[STEP 7.] Click \textbf{OK}. \end{description} -\notemark\textit{Lua is a lightweight, high-level, multi-paradigm programming language designed primarily for embedded use in applications. TSG is able to interact with Lua scripts when process network traffic.} +\notemark\textit{Lua is a lightweight, high-level, multi-paradigm programming language designed primarily for embedded use in applications. +TSG can interact with Lua scripts when process network traffic.} -\notemark\textit{It is best practice to construct a Pre-Signature to improve performance when a customized attribute is referenced by Signature as a Condition.} +\notemark\textit{It is best to construct a Pre-Signature to improve performance when a customized attribute is referenced by the Signature as a Condition.} You can \textbf{Edit} or \textbf{Delete} your customized attributes and download the Uploaded File. @@ -324,7 +352,7 @@ You can \textbf{Edit} or \textbf{Delete} your customized attributes and download \addcontentsline{toc}{subsection}{Predefined Applications} \label{sec:objects:application:predefined} -TSG supports a variety of built-in protocols and Applications. When the application is identified, the policy check determines how to treat the application. You can view all the predefined applications in the web interface. +TSG supports a variety of built-in Applications. When the application is identified, the policy check determines how to treat the application. You can view all the predefined applications in the web interface. The following table list some examples of system built-in applications: @@ -343,13 +371,18 @@ The following table list some examples of system built-in applications: \addcontentsline{toc}{subsection}{Application Customization} \label{sec:objects:application:customize} -Applications allow you classify all traffic, across all ports, all the time. To ensure that your internal custom applications do not show up as unknown traffic, you can create a custom application. Then practice granular policy control over these applications to minimize the range of unidentified traffic on your network. +Applications allow you to classify all traffic across all ports all the time. You can create a custom application to ensure that your internal custom applications do not show up +as unknown traffic. Then practice granular policy control over these applications to minimize the range of unidentified traffic on your network. -To create a custom application, you must define the application attributes: its characteristics, category and sub-category, risk, port, timeout. In addition, you must define patterns or values that TSG can use to match to the traffic flows (the signature). Finally, you can attach the custom application to a policy that allows or denies the application (or add it to an application group or match it to an application selector). +To create a custom application, you must define the application attributes: its characteristics, category, and sub-category, risk, port, timeout. +In addition, you must define patterns or values that TSG can use to match the network sessions(the signature). +Finally, you can attach the custom application to a policy that allows or denies it (or add it to an application group or match it to an application selector). -\notemark\textit{In order to collect the right data to create a custom application signature, you'll need a good understanding of packet captures and how to analyze data pattern. If the signature is created too broadly, you might inadvertently include other similar traffic; if it is defined too narrowly, the traffic will evade detection if it does not strictly match the pattern.} +\notemark\textit{To collect the right data to create a custom application signature, you'll need a good understanding of packet captures and how to analyze data patterns. +If the signature is created too broadly, you might inadvertently include other similar traffic; if it is defined too narrowly, the traffic will evade detection +if it does not strictly match the pattern.} The following is a basic example of how to create a custom application. @@ -358,34 +391,41 @@ The following is a basic example of how to create a custom application. \item[STEP 1.] Gather information about the application to create custom signatures. - To do this, you need have an understanding of the application and how you want to control access to it. For example, you may want to limit what operations users can perform within the application, such as uploading, downloading, or live streaming. + To do this, you need to understand the application and how you want to control access to it. For example, you may want to limit what operations users + can perform within the application, such as uploading, downloading, or live streaming. - • Capture application packets so that you can find unique characteristics about the application on which to base your custom application signature. One way to do this is to run a protocol analyzer, such as Wireshark, on the client system to capture the packets between the client and the server. Perform different actions in the application, such as uploading and downloading, so that you will be able to locate each type of session in the resulting packet captures (PCAPs). + • Capture application packets so that you can find unique characteristics about the application on which to base your custom application signature. + One way to do this is to run a protocol analyzer, such as Wireshark, on the client system to capture the packets between the client and the server. + Perform different actions in the application, such as uploading and downloading, so that you can locate each type of session in the resulting packet captures (PCAPs). • Because TSG supports packet captures for all traffic, you can take packet captures using TSG. See \hyperlink{link:Take Packet Captures}{\color{linkblue}{Take Packet Captures}}. - • Use the packet captures to find patterns or values in the packet contexts that you can use to create signatures that will uniquely match the application. For example, look for string patterns in HTTP request or response headers, URI, or hostnames. + • Use the packet captures to find patterns or values in the packet contexts that you can use to create signatures that will uniquely match the application. + For example, look for string patterns in HTTP request or response headers, URI, or hostnames. \item[STEP 2.] Add the custom application. \begin{enumerate} \item Select \textbf{Objects} > \textbf{Applications} and click \textbf{Create}. - \item Enter a \textbf{Name} and a \textbf{Description} for the custom application that will help other administrators understand why you created the application. + \item Enter a \textbf{Name} and a \textbf{Description} for the custom application to help other administrators understand why you created the application. \item Verify that \textbf{Enabled} is enabled. Policy rules referencing applications only match to and enforce traffic based on enabled applications. - Predefined applications cannot be disabled and only allow a status of enabled. Disabling a base application could cause applications which depend on the base application to also be disabled. For example, disabling Facebook-base will disable all other Facebook applications. + Predefined applications cannot be disabled and only allow a status of enabled. Disabling a base application could cause applications which + depend on the base application also to be disabled. For example, disabling HTTPS will disable all other web-based applications. \item Define the application Properties and Characteristics. - Select the \textbf{Category}, \textbf{Subcategory}, \textbf{Technology} and \textbf{Risk} from drop-down. Add \textbf{Parent App} if there is any. Enable \textbf{Continue Scanning} if you need to. Select the checkbox for characteristics, including Evasive, Excessive Bandwidth, Prone to Misuse, SaaS, Transfer Files, Tunnels Other Apps, Used by Malware, Vulnerability and Widely Used. + Select the \textbf{Category}, \textbf{Subcategory}, \textbf{Technology}, and \textbf{Risk} from the drop-down. Add \textbf{Parent App} if there is any. + Enable \textbf{Continue Scanning} if you need to. Select the checkbox for characteristics, including Evasive, Excessive Bandwidth, + Prone to Misuse, SaaS, Transfer Files, Tunnels Other Apps, Used by Malware, Vulnerability, and Widely Used. \item Define the timeout values or leave the value set to default. \end{enumerate} - \item[STEP 3.] Define the Surrogates which is the criteria that the firewall will use to match the traffic to the new application. + \item[STEP 3.] Define the Surrogates, which is the firewall's criteria to match the traffic to the new application. You will use the information you gathered from the packet captures to specify unique string context values that the firewall can use to match patterns in the application traffic. @@ -393,37 +433,45 @@ The following is a basic example of how to create a custom application. Select Signatures or click plus icon to create a signature. \begin{enumerate} - \item On create a Signature page, define a Signature \textbf{Name} and optionally a \textbf{Comment} to provide information about how you intend to use this signature. + \item On the Signature Create page, define a Signature \textbf{Name} and a \textbf{Comment} to provide information about how you intend to use this signature. \item Pick a \textbf{Color} or use the default color. \item Specify \textbf{Conditions} to define signatures. - If the order in which the firewall attempts to match the signature definitions is important, make sure to enable the Ordered Match and then order the conditions so that they are evaluated in the appropriate order. Select a condition and click Move Up or Move Down. + If the order in which the firewall attempts to match the signature definitions is important, make sure to enable the Ordered Match and then + order the conditions to be evaluated in the appropriate order. Select a condition and click Move Up or Move Down. \end{enumerate} \item[STEP 4.] Click \textbf{OK}. \item[STEP 5.] Validate that traffic matches the custom application as expected. \begin{enumerate} \item Select \textbf{Policies} > \textbf{Security} and \textbf{Create} a security policy rule to allow the new application. - \item Run the application from a client system that is between the firewall and the application and then check the logs to make sure that you see traffic matching the new application (and that it is being handled per your policy rule). + \item Run the application from a client inside the firewall, and then check the logs to ensure that + you see traffic matching the new application (and that it is being handled per your policy rule). \end{enumerate} \end{description} -\notemark\textit{TSG enables you to import or export custom applications in batch with json format.} +\notemark\textit{TSG enables you to import or export custom applications in batch with JSON format.} %\pdfbookmark[2]{Application Selector}{Application Selector} \subsection*{\hypertarget{link:Application Selector}{Application Selector}} \addcontentsline{toc}{subsection}{Application Selector} \label{sec:objects:application:selector} -An application selector is an object that dynamically groups applications based on application attributes that you define, including category, subcategory, technology, risk and characteristics. This is useful when you want to enable access to applications that you do not explicitly sanction, but that you want users to be able to access. For example, you may want to enable employees to choose their own office programs, such as Evernote, Google Docs, or Microsoft Office, for business use. To enable these types of applications, you could create an application selector that matches on the Category business-systems and the Subcategory office-programs. As new applications office programs emerge, these new applications will automatically match the selector you defined; you don’t have to make any additional changes to your policy rules to enable any application that matches the attributes you defined for the selector. +An application selector is an object that dynamically groups applications based on application attributes that you define, +including category, subcategory, technology, risk, and characteristics. This is useful when you want to enable access to applications that you do not explicitly denied, +but that you want users to be able to access. For example, you may want to allow employees to choose their office programs, +such as Evernote, Google Docs, or Microsoft Office, for business use. To enable these types of applications, +you could create an application selector that matches the Category business-systems and the Subcategory office-programs. +As new applications office programs emerge, these new applications will automatically match the selector you defined; +you don’t have to make any additional changes to your policy rules to enable any application that matches the attributes you defined for the selector. \begin{description} \item[STEP 1.] Select \textbf{Objects} > \textbf{Applications} > \textbf{Selectors}. \item[STEP 2.] Create a selector and give it a descriptive \textbf{Name}. \item[STEP 3.] Define the selector by selecting attribute values from the Category, Subcategory, Technology, Risk, and Characteristics sections. As you select values, notice that the list of matching applications at the bottom of the dialog narrows. - When you have adjusted the filter attributes to match the types of applications you want to safely enable, click \textbf{OK}. + When you have adjusted the filter attributes, click \textbf{OK}. \end{description} %\pdfbookmark[2]{Application Group}{Application Group} @@ -431,10 +479,15 @@ An application selector is an object that dynamically groups applications based \addcontentsline{toc}{subsection}{Application Group} \label{sec:objects:application:group} -An application group is an object that contains applications that you want to treat similarly in a policy. Application groups are useful for allow or deny access to applications that you explicitly sanction or forbid. Grouping sanctioned or forbidden applications simplifies administration of your rules. Instead of having to update individual policy rules when there is a change in the applications you sanction or deny, you can update only the affected application groups. +An application group is an object that contains applications that you want to treat similarly in a policy. +Application groups are useful for allow or deny access to applications that you explicitly sanction or forbid. +Grouping forbidden applications simplifies the administration of your rules. Instead of updating individual policy rules when +there is a change in the applications you deny, you can update only the affected application groups. -When deciding how to group applications, consider how you plan to enforce access to your applications and create an application group that aligns with each of your policy goals. For example, you might have some applications that you will allow, and other applications that you want to deny. In this case, you would create separate application groups for each of these policy goals. +When deciding how to group applications, consider how you plan to enforce access to your applications and create an application group that aligns with your policy goals. +For example, you might have some applications that you will allow and other applications that you want to deny. +In this case, you would create separate application groups for each of these policy goals. \begin{description} \item[STEP 1.] Select \textbf{Objects} > \textbf{Applications} > \textbf{Groups}. @@ -449,7 +502,12 @@ When deciding how to group applications, consider how you plan to enforce access \addcontentsline{toc}{section}{Configure Object Group} \label{sec:objects:group} -A policy object consists of one or multiple items, while an object group is composed of one or multiple subordinate objects. An object group is also considered as an object. Typically, when creating a policy object, you organize objects that require similar permissions in policy. One object is allowed to reference same type objects as subordinate objects, but not allowed to add items in object. For example, An IP object defines a set of single address, whereas an IP object group can define more than one address object. By grouping objects, you can significantly reduce the administrative overhead in creating policies. You can create object group for all types of objects. +A policy object consists of one or multiple items, while an object group is composed of one or multiple subordinate objects. +An object group is also considered as an object. Typically, when creating a policy object, +you organize objects that require similar permissions in the policy. One object is allowed to reference the same type objects as subordinate objects, +but not add items in object. For example, An IP object defines a set of single address, whereas an IP object group can define more than one address object. +By grouping objects, you can significantly reduce the administrative overhead in creating policies. You can create object groups for all types of objects. + The following procedure explains how you can create objects group directly through the Objects page. @@ -459,7 +517,7 @@ The following procedure explains how you can create objects group directly throu \item[STEP 2.] To create a group, let’s take FQDN as an example, click \textbf{Create} and select FQDN group. \item[STEP 3.] Add a \textbf{Name}. The name is case-sensitive and can have up to 128 characters. \item[STEP 4.] Specify a \textbf{Color}. - \item[STEP 5.] Add one or more \textbf{Sub Objects}. Note that you cannot add sub objects and items at the same time. + \item[STEP 5.] Add one or more \textbf{Sub Objects}. Note that you cannot add subordinate objects and items at the same time. \item[STEP 6.] (\textcolor{gold}{Optional})Enter a \textbf{Description}. The description can have up to 1024 characters. \item[STEP 7.] Click \textbf{OK}. \end{description} \ No newline at end of file diff --git a/content/Policies.tex b/content/Policies.tex index ed72a11..54edeba 100644 --- a/content/Policies.tex +++ b/content/Policies.tex @@ -10,10 +10,10 @@ Any traffic going through TSG has to be associated with a policy. These policies flow going through TSG. These instructions control where the traffic goes, how it is processed, if it is processed, and whether or not it is allowed to pass through the gate. -When TSG receives a connection packet, it analyzes the source, destination, application and corresponding filters. Using this information, +When TSG receives a connection packet, it analyzes the source, destination, application, and corresponding filters. Using this information, TSG attempts to locate a security policy that matches the packet. If a policy matches the parameters, then TSG takes the required action for that policy. If it is Allow, the traffic is allowed to proceed to the next step. If the action is Deny, the traffic is not allowed to proceed. If the action is Monitor, -the traffic is scanned and a log is generated. If it is Intercept, the traffic is intercepted and relative proxy policy will be applied. +the traffic is scanned, and a log is generated. If it is Intercept, the traffic is intercepted, and a relative proxy policy will be applied. { \color{linkblue} @@ -30,7 +30,7 @@ the traffic is scanned and a log is generated. If it is Intercept, the traffic i \addcontentsline{toc}{section}{Policy Concepts} \label{sec:policies:concepts} -Policies allow you to enforce rules and take action. From TSG’s perspective, network packets are first resembled to a session, and identified as many manageable attributes. +Policies allow you to enforce rules and take action. From TSG’s perspective, network packets are first reassembled to a session, and identified as many manageable attributes. For example, a TLS session could be parsed to attributes as IP address, SNI, certificate and so on. For effective management, user could define policy rules with TSG user interface. @@ -112,11 +112,11 @@ Based aforementioned design, security policy rules are enforced as following \te \begin{enumerate} \item Packet layer: The firewall parses IP fragments, reassembles using the defragmentation process, and then parses IP header and TCP/UDP protocol headers if applicable. As application identification is on all layers, the identified application as well as IP address, ASN and Subscriber ID is used as key to find rule match. Because the application is not necessarily known in the first packets, it can take several packets to determine what the underlying application is, and rules without specifying application will be enforced in advance. \item Session layer: Packets are reassembled to network session and decoded to traffic attributes, e.g. TLS SNI (TLS handshake option), HTTP Host, Mail addresses and DNS QNAME. - \item Content layer: Content that extracted from one session or more sessions are applicable for keywords scan, e.g. HTTP request body and Mail attachment. + \item Content layer: Content extracted from one session or more sessions are applicable for keywords scan, e.g. HTTP request body and Mail attachment. \end{enumerate} \end{description} Within the layer, traffic attributes are not acquired simultaneously, which is known as \textbf{parsing stages}. This design offers stateful security functions at the application layer, -and the effectiveness of policy enforcement. The parsing stages of common protocols are listed in table below.\\ +and the effectiveness of policy enforcement. The parsing stages of common protocols are listed in the table below.\\ %\begin{table}[h] \begin{longtable}{p{0.17\textwidth}|p{0.77\textwidth}} %\begin{tabularx}{\textwidth}{p{0.17\textwidth}|p{0.77\textwidth}} @@ -148,7 +148,7 @@ and the effectiveness of policy enforcement. The parsing stages of common protoc %\end{tabularx} %\end{table} \end{longtable} -As the firewall receives more packets and do more in-depth inspection, more traffic attributes and content are ready for policy enforcement, which is shown in figure below.\\ +As the firewall receives more packets and more in-depth inspection, more traffic attributes and content are ready for policy enforcement, shown in the figure below.\\ %\begin{figure}[htb] @@ -170,22 +170,21 @@ As the firewall receives more packets and do more in-depth inspection, more traf \end{figure} -It is highly likely that even after only a relatively small number of policies have been created that there will be some that overlap -or are subsets of the parameters that the policies use to determine which policy should be matched against the incoming traffic. -When this happens there has to be a method to determine which policy should be applied to the packet. The method which is used by TSG is the policy hierarchy. -In another words, policies with lower inspection layers and earlier parsing stages are precedent. For example, a HTTP session, its URL appears before response body. -That’s why policy rules that inspect HTTP response body, are always evaluated after ones that inspect URL. +It is highly likely that even after only a relatively small number of policies have been created, there will be some that overlap or are subsets of the policies' parameters +to determine which policy should be matched against the incoming traffic. When this happens, there must be a method to determine which policy should be applied to the packet. +The method which TSG uses is the policy hierarchy. In other words, policies with lower inspection layers and earlier parsing stages are precedents. +For example, in an HTTP session, its URL appears before the response body. That’s why policy rules that inspect HTTP response body are always evaluated after ones that inspect URL. \notemark\textit{A policy rule that combines with condition fields of different layers and stages are evaluated at the last layer and stage. Rule stage is decided by policy condition fields; and rule modification may change the rule stages.} -As firewall maybe unable to determine the exact application from the first packet, a session may be allowed through the firewall as undecided -until the application is identified, at which time the security rules are re-evaluated and an appropriate action is taken. +As the firewall may be unable to determine the exact application from the first packet, a session may be allowed through the firewall as undecided until the application is identified. +The security rules are re-evaluated, and appropriate action is taken. -For more details about how TSG process packet flow, please see \hyperlink{link:Appendix E TSG Packet Flow}{\color{linkblue}{Appendix E TSG Packet Flow}}. +For more details about how TSG process packet flow, please see \hyperlink{link:Appendix D TSG Packet Flow}{\color{linkblue}{Appendix D TSG Packet Flow}}. %\pdfbookmark[1]{Security Policy}{Security Policy} \section*{\hypertarget{link:Security Policy}{Security Policy}} @@ -194,7 +193,7 @@ For more details about how TSG process packet flow, please see \hyperlink{link:A Security policies determine whether to deny, allow, monitor or intercept a session based on initial session attributes, such as the subscriber ID, IP addresses, ports, protocols and applicable protocol fields (e.g. TLS SNI). -On TSG, security policy rules are enforced by firewall module. +On TSG, security policy rules are enforced by the firewall module. All traffic passing through the firewall is matched against a session and each session is matched against a security policy rule. @@ -219,7 +218,9 @@ The Security policy rule construct permits a combination of the required and opt \rowcolor{black}\multicolumn{1}{l!{\color{white}\vrule width 0.5pt}}{\textcolor{white}{\begin{tabular}{l}Required/\\Optional\end{tabular}}} & \multicolumn{1}{l!{\color{white}\vrule width 0.5pt}}{\textcolor{white}{Field}} & \textcolor{white}{Description}\\\hline \multirow{3}{*}{Required} & Name & A label (up to 128 characters) that identifies the rule.\\ \cline{2-3} & Action & Specifies an Allow, Deny, Monitor or Intercept action for the traffic based on the criteria you define in the rule. For more details, see \hyperlink{link:Security Actions}{\color{linkblue}{Security Policy Actions}}. \\ \cline{2-3} - & Application & The application that you wish to control. It provides application control and visibility in creating security policies that block unknown applications, while enabling, inspecting, and shaping those that are allowed. For more information, see \textbf{Objects} > \textbf{Applications}.\\ \hline + & Application & The application that you wish to control. It provides application control and visibility in creating security policies that block unknown applications, + while enabling, inspecting, and shaping those that are allowed. The Application selection is optional for Deny, Allow and Monitor action. + For more information, see \textbf{Objects} > \textbf{Applications}.\\ \hline \multirow{9}{*}{Optional} & Source & Define host IP addresses, address groups, Subscriber ID, IP Learning, or Geographic enforcement.\\ \cline{2-3} & Destination & The location or destination for the packet. Define host IP addresses, address groups, IP Learning, or Geographic enforcement.\\ \cline{2-3} & Filter & All web traffics are compared against the filtering, giving you a way to safely control how your users interact with online content. You will have Filter available when you select only one of the following protocols: HTTP, SSL, DNS, MAIL, FTP, QUIC and SIP in Applicationfield.\\ \cline{2-3} @@ -266,7 +267,7 @@ For traffic that matches the attributes defined in a security policy, you can ap Support Action Parameters: \textbf{Mirror Traffic} which is not enabled by default. If you enable mirror traffic, the current and subsequent packets that hit the policy will be mirror to external device. Enable Add VLAN ID and specify VLAN ID to designate mirror destination address. - Note that the mirror traffic function is only effective on ATCA (TSG9140). Its corresponding Security Event logs will record mirrored\_pkts and mirrored\_bytes of packet mirroring and support retrieval by these fields. + Note that the mirror traffic function is only available on TSG 9000 Series. Its corresponding Security Event logs will record mirrored\_pkts and mirrored\_bytes of packet mirroring and support retrieval by these fields. \\\hline \end{longtable} @@ -287,21 +288,22 @@ and their relative risk. When you define policy rules to control traffic, applic \begin{longtable}{p{0.14\textwidth}|p{0.19\textwidth}|p{0.58\textwidth}} \rowcolor{black}\multicolumn{2}{l!{\color{white}\vrule width 0.5pt}}{\textcolor{white}{Applications Type}} & \textcolor{white}{Description}\\\hline \multirow{3}{*}{Application} & Basic Protocols & Network protocols ensure that computer network devices can transmit and receive data using a common language regardless of their different designs, hardware or infrastructures. - List all 50 basic protocols: + List basic protocols that when selected, field is optional: - Unknown\_TCP, Unknown\_UDP, Unknown\_Other, DNS, FTP, FTPS, HTTP, HTTPS, ICMP, IKE, IMAP, MAIL, IMAPS, IPSEC, XMPP, L2TP, NTP, POP3, POP3S, PPTP, QUIC, SIP, SMB, SMTP, SMTPS, SPDY, SSH, SSL, SOCKS, TELNET, DHCP, RADIUS, OPENVPN, STUN, TEREDO, DTLS, DoH, ISAKMP, MDNS, NETBIOS, NETFLOW, RDP, RTCP, RTP, SLP, SNMP, SSDP, TFTP, BJNP, LDAP, RTMP, RTSP. + HTTP, SSL, QUIC, DNS, MAIL, FTP, SIP. + %Unknown\_TCP, Unknown\_UDP, Unknown\_Other, DNS, FTP, FTPS, HTTP, HTTPS, ICMP, IKE, IMAP, MAIL, IMAPS, IPSEC, XMPP, L2TP, NTP, POP3, POP3S, PPTP, QUIC, SIP, SMB, SMTP, SMTPS, SPDY, SSH, SSL, SOCKS, TELNET, DHCP, RADIUS, OPENVPN, STUN, TEREDO, DTLS, DoH, ISAKMP, MDNS, NETBIOS, NETFLOW, RDP, RTCP, RTP, SLP, SNMP, SSDP, TFTP, BJNP, LDAP, RTMP, RTSP. \\ \cline{2-3} & \tabincell{l}{Predefined\\ Applications} & TSG has various predefined applications. \\ \cline{2-3} - & \tabincell{l}{Customized\\ Applications} & TSG allows you create custom applications and reference the customized application objects in policy.\\\hline - Selector & Selector & TSG allows you dynamically group applications based on application properties that you define into one object Selector. It is available for Action Allow and Deny. For more details, see \hyperlink{link:Application Selector}{\color{linkblue}{Application Selector}}. \\ \hline + & \tabincell{l}{Customized\\ Applications} & TSG allows you to create custom applications and reference the customized application objects in the policy.\\\hline + Selector & Selector & TSG allows you dynamically group applications based on application properties that you define into one Object Selector. It is available for Action Allow and Deny. For more details, see \hyperlink{link:Application Selector}{\color{linkblue}{Application Selector}}. \\ \hline Group & Group & An application group is an object that contains applications that you want to treat similarly in a policy. It is available for Action Allow and Deny. For more details, see \hyperlink{link:Application Group}{\color{linkblue}{Application Group}}. \\ \hline \end{longtable} -You will have Filter available when you select only one of the following protocols: HTTP, SSL, DNS, MAIL, FTP, QUIC and SIP. +You will have Filter available when you select only one of the following protocols: HTTP, SSL, DNS, MAIL, FTP, QUIC, and SIP. The following table lists different Filter fields for each protocol and the available object type you can select for each filter field, -it also shows whether each filter field support allow, deny, monitor and intercept action or not. +it also shows whether each filter field support allow, deny, monitor, and intercept action or not. % @@ -358,7 +360,7 @@ The Evaluation Order for security policy is described as following. Security policy is evaluated before Proxy policy. Proxy manipulation requires targeted sessions are intercepted in security policies. -That is to say an intercept security policy rule is the prerequisite for proxy policy. +That is to say, an intercept security policy rule is the prerequisite for proxy policy. Traffic can match one or multiple security policy rules with monitor action. This means traffic can hit multiple security policy rules only with monitor actions. @@ -385,7 +387,7 @@ There are three factors in evaluation of policies. They are condition, action an \end{description} -For more details about how TSG process packet flow, please see \textbf{\hyperlink{link:Appendix E TSG Packet Flow}{\color{linkblue}{Appendix E TSG Packet Flow}}}. +For more details about how TSG process packet flow, please see \textbf{\hyperlink{link:Appendix D TSG Packet Flow}{\color{linkblue}{Appendix D TSG Packet Flow}}}. %\pdfbookmark[3]{Voice over Internet Protocol}{Voice over Internet Protocol} \subsubsection*{\hypertarget{link:Voice over Internet Protocol}{Voice over Internet Protocol}} @@ -400,7 +402,7 @@ TSG supports allow, deny and monitor VoIP based on IP address and/or accounts an For now, TSG only supports the mentioned actions above with VoIP calls using SIP for signaling and RTP for delivering audio data. -To view detailed description about VoIP log fields, see \textbf{Appendix C Log Fields Description} > \textbf{Log Fields per Protocol} > \textbf{\hyperlink{link:SIP}{\color{linkblue}{SIP}}} and \textbf{\hyperlink{link:RTP}{\color{linkblue}{RTP}}}. +To view a detailed description of VoIP log fields, see \textbf{Appendix B Log Fields Description} > \textbf{Log Fields per Protocol} > \textbf{\hyperlink{link:SIP}{\color{linkblue}{SIP}}} and \textbf{\hyperlink{link:RTP}{\color{linkblue}{RTP}}}. \subsubsection*{\hypertarget{link:GPRS Tunneling Protocol(GTP)}{GPRS Tunneling Protocol(GTP)}} \addcontentsline{toc}{subsubsection}{GPRS Tunneling Protocol(GTP)} @@ -412,7 +414,7 @@ GTP comprises three types of traffic—control plane (GTP-C), user plan TSG supports GTP, which allows you to inspect, validate, filter, and perform security checks on GTPv2-C, GTPv1-C. -To view detailed description about GTP log fields, see \textbf{Appendix C Log Fields Description} > \textbf{Log Fields per Protocol} > \textbf{\hyperlink{link:GTP-C}{\color{linkblue}{GTP-C}}}. +To view a detailed description of GTP log fields, see \textbf{Appendix B Log Fields Description} > \textbf{Log Fields per Protocol} > \textbf{\hyperlink{link:GTP-C}{\color{linkblue}{GTP-C}}}. %\pdfbookmark[2]{Allow Rules}{Allow Rules} \subsection*{\hypertarget{link:Allow Rules}{Allow Rules}} @@ -420,7 +422,7 @@ To view detailed description about GTP log fields, see \textbf{Appendix C Log Fi \addtocontents{toc}{\protect\newpage} \label{sec:policies:security:allow} -TSG allows the network traffic to pass through, without apply further policy checking. You can define traffic that you choose not to enforce policies because of business, +TSG allows the network traffic to pass through without applying further policy checking. You can define the traffic attributes that you choose not to enforce policies because of business, regulatory, personal, or other reasons, such as financial, health, military, or government traffic. @@ -432,15 +434,15 @@ If you wish to have logs, it is recommended to create monitor rules with Log Ses \addcontentsline{toc}{subsection}{Intercept Rules} \label{sec:policies:security:intercept} -Security policy with intercept action allows you to define traffic that you want the Proxy to terminate. Both HTTP and HTTPS sessions could be terminated. +A security policy with intercept action allows you to define the traffic you want the Proxy to terminate. Both HTTP and HTTPS sessions could be terminated. You can do further manipulation on intercepted traffic with Proxy Policy. When an SSL session is set to intercept, the Proxy terminates the client-side session and initiates a new server-side session. -Thus, the server certificate is replaced and content is decrypted. +Thus, the server certificate is replaced, and content is decrypted. -You can specify different keyrings for individual intercept policy. If not, the Proxy uses the default keyring for trusted website. +You can specify different keyrings for individual intercept policy. If not, the Proxy uses the default keyring for a trusted websites. Keyrings are managed via \textbf{Certificate Managements} > \textbf{\hyperlink{link:Decryption Keyrings}{\color{linkblue}{Decryption Keyrings}}}. %\pdfbookmark[3]{Intercept Options}{Intercept Options} @@ -449,17 +451,17 @@ Keyrings are managed via \textbf{Certificate Managements} > \textbf{\hyperlink{l \label{sec:policies:security:intercept:option} While policy objects enable you to identify traffic to enforce policies, policy profiles help you define further action. -When you create an Intercept policy and select the SSL application to enable access to encrypted sites, you will have three Action Parameters, -namely Keyring, Mirror Decrypted Traffic and Decryption Profile. They serve as your intercept options. +When you create an Intercept policy and select the SSL application to enable access to encrypted sites, you will have three action parameters: +Keyring, Mirror Decrypted Traffic, and Decryption Profile. They serve as your intercept options. -• You can specify a Keyring or use TrustedDefault. To specify a different Keyring, select the item from drop-down or click the plus icon to create a new one. For more details, see \hyperlink{link:Decryption Keyrings}{\color{linkblue}{Decryption Keyrings}}. +• You can specify a Keyring or use TrustedDefault. To specify a different Keyring, select the item from the drop-down or click the plus icon to create a new one. For more details, see \hyperlink{link:Decryption Keyrings}{\color{linkblue}{Decryption Keyrings}}. -• If you enable Mirror Decrypted Traffic, you can select one item from drop-down or click the plus icon to create a new profile. For more details, see \hyperlink{link:Traffic Mirror Profile}{\color{linkblue}{Traffic Mirror Profile}}. +• If you enable Mirror Decrypted Traffic, you can select one item from the drop-down or click the plus icon to create a new profile. For more details, see \hyperlink{link:Traffic Mirror Profile}{\color{linkblue}{Traffic Mirror Profile}}. -• You can use decryption-default for your Decryption Profile, or you can select different one from drop-down and create new ones. For more details, see \hyperlink{link:Decryption Profile}{\color{linkblue}{Decryption Profile}}. +• You can use decryption-default for your Decryption Profile, or select a different one from the drop-down and create new ones. For more details, see \hyperlink{link:Decryption Profile}{\color{linkblue}{Decryption Profile}}. %\pdfbookmark[3]{Proxy Limitations}{Proxy Limitations} \subsubsection*{\hypertarget{link:Proxy Limitations}{Proxy Limitations}} @@ -480,7 +482,7 @@ personal, or other reasons. The other is traffic that breaks decryption for tech \item[-] Apple Store \end{itemize} \item Mutual Authentication (Client Certificate Request) - \item Some android System that unable to install root certificate + \item Some Android OS that unable to install the root certificate \item Website using HPKP \item Nonstandard SSL/TLS implications \item SSLv1.0, SSLv2.0 are not supported @@ -499,21 +501,21 @@ For policies that match SSL Decryption Exclusion are evaluated before intercept \label{sec:policies:security:intercept:troubleshooting} You can find out if the interception is successful by checking if the certificates are issued by your pre-configured Root CA. -You should exercise with cautions because web applications may not cooperate with SSL interception. +You should exercise caution because web applications may not cooperate with SSL interception. • Your connection is not private/secure -Visit the website that should match the intercept rule. For Chrome, Microsoft Internet Explorer and Firefox, click the lock icon next to the address bar to view website certificates. -If the browser warning that the connection is not secure, one possible reason is you haven’t install/trust the root certificate yet. +Visit the website that should match the intercept rule. For Chrome, Microsoft Internet Explorer, and Firefox, click the lock icon next to the address bar to view website certificates. +If the browser is warning that the connection is not secure, one possible reason is you haven’t installed/trusted the root certificate yet. -Another possible reason is that the site uses an incomplete certificate chain, the Proxy doesn’t automatically fix the chain as a browser would. -Although Proxy is able to cache unseen intermediate certificates that issued +Another possible reason is that the site uses an incomplete certificate chain. The Proxy doesn’t automatically fix the chain as a browser would. +Although Proxy can cache unseen intermediate certificates issued by trusted root (\textbf{Certificate Managements} > \textbf{\hyperlink{link:Cached Intermediate Certificates}{\color{linkblue}{Cached Intermediate Certificates}}}), -you still need to manually download the missing intermediate certificates occasionally. -Missing certificates could be import via \textbf{Certificate Managements} > \textbf{\hyperlink{link:Trusted Certificate Authorities}{\color{linkblue}{Trusted Certificate Authorities}}}. +you still need to download the missing intermediate certificates occasionally manually. +Missing certificates could be imported via \textbf{Certificate Managements} > \textbf{\hyperlink{link:Trusted Certificate Authorities}{\color{linkblue}{Trusted Certificate Authorities}}}. • Handling Web Sites Where Decrypt Re-sign Works for a Browser but not an App (SSL or Certificate Authority Pinning) @@ -521,23 +523,23 @@ Missing certificates could be import via \textbf{Certificate Managements} > \tex Some apps for smart phones and other devices use a technique called SSL (or Certificate Authority) pinning. The SSL pinning technique embeds the hash of the original server certificate inside the app itself. -As a result, when the app receives the resigned certificate from TSG, the hash validation fails and the connection is aborted. +As a result, when the app receives the resigned certificate from TSG, the hash validation fails and abort the connection. -If internet users cannot connect to the web site using the site’s app, but they can connect using the web browser, -even when using the browser on the same device where the app fails. For example, users cannot use the Facebook iOS or android app, -but they can point Safari or Chrome at https://www.facebook.com and make a successful connection. +If internet users cannot connect to the website using the site’s app, but they can connect using the web browser, +even when using the browser on the same device where the app fails. For example, users cannot use the Facebook iOS or Android app, +but they can visit https://www.facebook.com with Safari or Chrome. Because SSL pinning is specifically used to avoid man-in-the-middle attacks, there is no workaround. You must choose between the following options: -- Support app users, by enabling Certificate Pinning dynamic bypass option, in which case you can only decrypt browser traffic to the site. +- Support app users, by enabling the Certificate Pinning dynamic bypass option, in which case you can only decrypt browser traffic to the site. For more details, see \textbf{Proxy Profiles} > \textbf{\hyperlink{link:Trusted Certificate Authorities}{\color{linkblue}{Decryption Profile}}}. - Force users to use browsers only. If you must decrypt traffic to the site, you will need to inform users that they cannot use the site’s app -when connecting through your network, that they must use their browsers only. +when connecting through your network, and use their browsers only. %\pdfbookmark[2]{Create a Security Policy Rule}{Create a Security Policy Rule} \subsection*{\hypertarget{link:Create a Security Policy Rule}{Create a Security Policy Rule}} @@ -552,34 +554,36 @@ when connecting through your network, that they must use their browsers only. \item[STEP 4.] Define the matching criteria for the destination fields in the packet. Specify one or multiple \textbf{Destination} IP Addresses or leave the value set to any. - \notemark\textit{As a best practice, use address objects as the Destination Address to enable access to only specific servers or specific groups of servers especially + \notemark\textit{As a best practice, use address objects as the Destination Address to enable access to only specific servers or specific groups of servers, especially for commonly exploited services, such as DNS and VPN.} - \item[STEP 5.] Select one or more \textbf{Applications}. There are built-in protocols and well-known Applications and customized Applications in the list. - You can search the application you want to fill in. You can also use application \textbf{Selector} and \textbf{Group} as objects in policy. + \item[STEP 5.] Select one or more \textbf{Applications}. There are built-in protocols and well-known Applications, and customized Applications in the list. + You can search the application you want to fill in. You can also use the application \textbf{Selector} and \textbf{Group} as objects in the policy. For more details, see \textbf{Security Policy} > \textbf{\hyperlink{link:Security Applications and Filters}{\color{linkblue}{Applications and Filters}}} and \textbf{Objects} > \textbf{\hyperlink{link:Applications}{\color{linkblue}{Applications}}}. \item[STEP 6.] (\textcolor{gold}{Optional}) Specify a \textbf{Filter} as match criteria for the rule. For example, select a \textbf{Category} for \textbf{Host}. If you select a category, only web traffic will match the rule and only if the traffic is destined for that specified category. For more details, see \textbf{Security Policy} > \textbf{\hyperlink{link:Security Applications and Filters}{\color{linkblue}{Applications and Filters}}}. - \notemark\textit{Filter is not available when multiple or no applications are selected.} + \notemark\textit{The filter is not available when multiple or no applications are selected.} \item[STEP 7.] (\textcolor{gold}{Optional})Specify a \textbf{Tag} or leave the value empty. You can select one or more Policy Tags which are created from \textbf{Policies} > \textbf{Tags} previously. Optionally, you can click the plus icon to create new Tags. After you click the icon, a page will slide in on the right. Enter the \textbf{Tag Category}. Pick a \textbf{Color}. And add one or multiple \textbf{Tags}. Then you can select the tag you just created from the list. \item[STEP 8.] Specify \textbf{Effective Devices} by choosing Device Tags or leave the value empty, which means the policy is effective on all devices by default. - Device Tags are built-in labels to classify the devices according to user’s requirement when TSG is deployed. Normally, the Device Tags will be classified by areas or ISPs. + Device Tags are built-in labels to classify the devices according to the user’s requirement when TSG is deployed. Normally, the Device Tags will be classified by areas or ISPs. \item[STEP 9.] (\textcolor{gold}{Optional})Enter a \textbf{Description} for the rule. \item[STEP 10.] (\textcolor{gold}{Optional})Select a \textbf{Schedule} or leave the value set to always. For more details, see \textbf{Policies} > \textbf{\hyperlink{link:Schedules}{\color{linkblue}{Schedules}}}. \notemark\textit{If you select a schedule, the schedule will determine when the policy will be enabled and effective. - This means you don’t have to turn the Enabled switch on. Because the policy will automatically be effective according to your specified schedule. - And even if you set the policy Enabled, the policy will not be effective, if it has not reached the schedule time frame.} - \item[STEP 11.] Verify that \textbf{Log Session} is enabled if you wish to have logs. Only traffic that matches a Security policy rule will be logged. + This means you don’t have to turn the Enabled switch on. Because the policy will automatically be effective according to your specified schedule, + and even if you set the policy Enabled, the policy will not be effective if it has not reached the schedule time frame.} + \item[STEP 11.] Verify that \textbf{Log Session} is enabled if you wish to have event logs. Only traffic that matches a Security policy rule will be logged. \item[STEP 12.] Verify that \textbf{Enabled} is enabled. \item[STEP 13.] Click \textbf{OK} to save the policy rule. - \item[STEP 14.] (\textcolor{gold}{Optional})To verify that you have set up your policies effectively, test whether your Security policy rules are being evaluated and determine which Security policy rule applies to a traffic flow. For example, to verify the policy rule that will be applied for a client with the IP address 192.168.0.1 when it sends a HTTP request to the 172.16.0.1 server: + \item[STEP 14.] (\textcolor{gold}{Optional})To verify that you have set up your policies effectively, test whether your Security policy rules are being evaluated + and determine which rule applies to a traffic flow. For example, to verify the policy rule that will be applied for a client with the IP address 192.168.0.1 + when it sends an HTTP request to the 172.16.0.1 server: \begin{enumerate} \item Select \textbf{Settings} > \textbf{Trouble Shooting} and select \textbf{Policy Verify} tab. \item Select \textbf{Security Policy Match} from the \textbf{Select Test} drop-down. @@ -588,21 +592,23 @@ when connecting through your network, that they must use their browsers only. \item Select the \textbf{Protocol} and \textbf{APP ID}. \item Click \textbf{Verify} to execute the \textbf{Security policy match} test. \end{enumerate} - \item[STEP 15.] After the policy has been hit. View \textbf{Logs} to monitor the policy rule status and determine the effectiveness of the policy rule. + \item[STEP 15.] After the policy has been hit, view \textbf{Logs} to monitor the policy rule status and determine the effectiveness. Select \textbf{Logs} > \textbf{Security Events} and view relative information about the policy. \end{description} You can view detailed information about the policy you just created. To edit and delete the policy, find the item you want to edit or delete in the list. Click \textbf{Edit} or \textbf{Delete} at the top left. -You can export the contents of policies to a json file. First, search policies according to ID, Name. Then, click the Export icon on the right to download and save the file to your local folder. +You can export the contents of policies to a JSON file. First, search policies according to ID, Name. Then, click the Export icon on the right to download and save the file to your local folder. -You can also import policies by clicking the import icon. Only json and txt formats can be uploaded. You can take the exported file as template for import. +You can also import policies by clicking the import icon. Only JSON and txt formats can be uploaded. You can take the exported file as a template for import. -Select the checkbox for policies in the list and Click \textbf{Watch} at the bottom to add to Watch List. And then you can click the star icon in the bottom right and select Policy tab to view the Watch List. -You can search policies by ID and Name in the list. The Watch feature gives you the ability to observe policies and objects on which you wish to keep an eye any time. In policy list page, click Hit Count if there are any, to view corresponding log list. In policy detail page, click Log Count to jump to corresponding log list. +Select the checkbox for policies in the list and Click \textbf{Watch} at the bottom to add to Watch List. +And then, you can click the star icon in the bottom right and select the Policy tab to view the Watch List. +You can search policies by ID and Name in the list. The Watch feature gives you the ability to observe policies and objects on which you wish to keep an eye at any time. +On policy list page, click Hit Count if there are any, to view the corresponding log list. On policy detail page, click Log Count to jump to the corresponding log list. \notemark\textit{Policy No. 0: For traffic that passes through TSG but does not hit any policies, the traffic is executed according to policy No. 0. @@ -613,13 +619,17 @@ The conditions of policy No. 0 are all any, and by default the action is Allow. \addcontentsline{toc}{section}{Proxy Policy} \label{sec:policies:proxy} -Proxy policy instructs the proxy how to manipulate a session. Manipulation requires targeted sessions are intercepted in security policies. An individual manipulation policy rules determine whether to allow, monitor, deny or manipulate a session based on traffic attributes. Valid objects depend on specific action. +The proxy policy instructs the proxy on how to manipulate a session. Manipulation requires targeted sessions are intercepted in security policies. +An individual manipulation policy rules determine whether to allow, monitor, deny or manipulate a session based on traffic attributes. Valid objects depend on a specific action. -Proxy policy works correctly on all platforms, including Windows, Linux, MacOS, Android, iOS, etc. and also supports console commands, such as wget and curl, mobile devices, tablets and workstations in all locations. But TSG does not support TV device that cannot install the certificate, and device with Android 7.0 and versions below. +The proxy policy works correctly on all platforms, including Windows, Linux, macOS, Android, iOS, etc., and also supports console commands, +such as wget and curl, mobile devices, tablets, and workstations in all locations. But TSG does not support TV devices that cannot install the certificate, +and device with Android 7.0 and versions below. -For the site which breaks decryption for certificate pinning, the proxy only can bypass or deny the traffic based on your configuration. For more details, see \hyperlink{link:Decryption}{\color{linkblue}{Decryption}}. +For the site which breaks decryption for certificate pinning, the proxy only can bypass or deny the traffic based on your configuration. +For more details, see \hyperlink{link:Decryption}{\color{linkblue}{Decryption}}. %\pdfbookmark[2]{Components of a Proxy Policy Rule}{Components of a Proxy Policy Rule} \subsection*{\hypertarget{link:Components of a Proxy Policy Rule}{Components of a Proxy Policy Rule}} @@ -634,16 +644,19 @@ The Proxy Policy rule construct permits a combination of the required and option \multirow{2}{*}{Required} & Name & A label (up to 128 characters) that identifies the rule.\\ \cline{2-3} & Action & Specifies an Allow, Deny, Monitor, Redirect, Replace, Hijack or Insert action for the traffic based on the criteria you define in the rule. For more details, see \hyperlink{link:Proxy Actions}{\color{linkblue}{Proxy Policy Actions}}. \\ \hline - \multirow{11}{*}{Optional} & Source & Define host IP addresses, address groups, Subscriber ID, IP Learning, or Geographic enforcement.\\ \cline{2-3} - & Destination & The location or destination for the packet. Define host IP addresses, address groups, IP Learning, or Geographic enforcement.\\ \cline{2-3} - & Filter & All web traffics are compared against the filtering, giving you a way to safely control how your users interact with online content. You must fill one of the Source, Destination or Filter.\\ \cline{2-3} - & Application & The application that you wish to control. It provides application control and visibility in creating proxy policies that block unknown applications, while enabling, inspecting, and shaping those that are allowed.\\ \cline{2-3} + \multirow{11}{*}{Optional} & Source & Define Client IP addresses, address groups, Subscriber ID, IP Learning, or Geographic enforcement.\\ \cline{2-3} + & Destination & Define Server IP addresses, address groups, IP Learning, or Geographic enforcement.\\ \cline{2-3} + & Filter & All network sessions are compared against the filtering, giving you a way to safely control how your users interact with online content. + You must fill one of the Sources, Destination, or Filter.\\ \cline{2-3} + & Application & The application that you wish to control. It provides application control and visibility in creating proxy policies + that block unknown applications, while enabling, inspecting, and shaping allowed ones.\\ \cline{2-3} & Tag & A keyword or phrase that help you to identify the policy. \\ \cline{2-3} & Effective Devices & Select the devices that the security rule will be applied.\\ \cline{2-3} & Schedule & Schedule when (day and time) the security rule should be in effect. \\ \cline{2-3} - & Log Session & When enabled, traffic that match security policies will be logged in Security Events. \\ \cline{2-3} - & Log Option & Metadata and All: Metadata only structured logs are recorded. All provides raw log files for some special log fields, such as content of HTTP request header or HTTP response content.\\ \cline{2-3} - & Description & A text field, up to 1024 characters, used to describe the rule. \\ \cline{2-3} + & Log Session & When enabled, traffic that matches security policies will be logged in Security Events. \\ \cline{2-3} + & Log Option & Metadata and All: Metadata only structured logs are recorded. Metadata only structured logs are recorded. + All provide raw log files for particular log fields, such as content of HTTP request header or HTTP response content.\\ \cline{2-3} + & Description & A text field, up to 1024 characters, is used to describe the rule. \\ \cline{2-3} & Enabled & Only enabled policies will be enforced.\\ \hline \end{longtable} @@ -657,12 +670,12 @@ For traffic that matches the attributes defined in a proxy policy, you can apply \begin{longtable}{p{0.12\textwidth}|p{0.82\textwidth}} \rowcolor{black}\multicolumn{1}{l!{\color{white}\vrule width 0.5pt}}{\textcolor{white}{Action}} & \textcolor{white}{Description} \\\hline - Allow & The Proxy pass-through the matched sessions. The traffic is allowed to proceed to the next step.\\ \hline - Deny & The Proxy terminate matched HTTP session with an error page. More information of uploading a html file, + Allow & The Proxy passes the matched sessions. The traffic is allowed to proceed to the next step.\\ \hline + Deny & The Proxy terminated matched HTTP session with an error page. For more information of uploading an HTML file, see \textbf{Proxy Profile} > \textbf{\hyperlink{link:Response Pages}{\color{linkblue}{Response Pages}}}.\\ \hline Monitor & The Proxy produce a log to record matched HTTP session information.\\\hline - Redirect & The Proxy redirect matched HTTP session to a predefined URL. Since redirection - need to be performed before delivering response to client, condition of response body is not + Redirect & The Proxy redirects matched HTTP sessions to a predefined URL. Since redirection + needs to be performed before delivering a response to client, the condition of response body is not applicable in this action. You MUST configure the redirect response via Response Code and Redirect URL. The Destination URL should begin with a valid protocol (http:|https:). You SHOULD NOT select 301 as Response Code unless you exactly know what you are doing. This action produces a log. @@ -671,12 +684,16 @@ For traffic that matches the attributes defined in a proxy policy, you can apply The Redirected URL can include Policy ID, Subscriber ID and/or Client IP. For example, http://www.example.com/query?pageid=12345\&policy\_id=\\ \{\{tsg\_policy\_id\}\}\&user\_id=\{\{tsg\_subscriber\_id\}\}\&source\_ip=\{\{tsg\_client\_ip\}\} \\\hline - Replace & The Proxy Searches in a given HTTP part to Find a given string, and Replace any matches with another given string. If no match was found, the session remained untouched. For performance concerns, condition of request body and response body is not available in this action. For example, you can configure the Proxy to search in the response body of URL “www.example.com/index.html”, find every “string1” and replace with “string2”. This action produces a log. You can use regex to do replacement, e.g. case insensitive find “(?i)CaSEInSensitive(?-i)”. You can add multiple replacement. + Replace & The Proxy Searches in a given HTTP part to Find a given string and Replace any matches with another given string. + If no match was found, the session remained untouched. For performance concerns, the condition of the request body and response body is not available in this action. + For example, you can configure the Proxy to search in the response body of URL “www.example.com/index.html”, find every “string1” and replace with “string2”. + This action produces a log. You can use regex to do replacement, e.g. case insensitive find “(?i)CaSEInSensitive(?-i)”. You can add multiple replacement. - \notemark \textit{Note that when searching and replacing content, there must be at least 512 characters of the replaced content. And the system support utf8 encoding and has the ability to replace content of different languages, including Kazakh, Russian and English.}\\ \hline - Hijack & The Proxy hijack a downloading file. Supported file type are img, exe, apk and html. More information of uploading a file for hijack, see \textbf{Proxy Profile} > \textbf{\hyperlink{link:Hijack Files}{\color{linkblue}{Hijack Files}}}.\\ \hline - Insert & The Proxy insert a “js” or “css” scripts to webpages. More details of uploading a script, see \textbf{Proxy Profile} > \textbf{\hyperlink{link:Insert Scripts}{\color{linkblue}{Insert Scripts}}}.\\ \hline + \notemark \textit{Note that when searching and replacing content, there must be at least 512 characters of the replaced content. + And the system supports utf8 encoding and can replace the content of different languages, including Chinese, English, Russian and Kazakh.}\\ \hline + Hijack & The Proxy hijacks a downloading file. Supported file types are img, exe, apk and html. More information of uploading a file for hijack, see \textbf{Proxy Profile} > \textbf{\hyperlink{link:Hijack Files}{\color{linkblue}{Hijack Files}}}.\\ \hline + Insert & The Proxy inserts a “js” or “css” scripts to webpages. For more details of uploading a script, see \textbf{Proxy Profile} > \textbf{\hyperlink{link:Insert Scripts}{\color{linkblue}{Insert Scripts}}}.\\ \hline \end{longtable} %\pdfbookmark[2]{Applications and Filters}{Proxy Applications and Filters} @@ -684,7 +701,7 @@ For traffic that matches the attributes defined in a proxy policy, you can apply \addcontentsline{toc}{subsection}{Applications and Filters} \label{sec:policies:proxy:filter} -Only two basic protocol HTTP and DoH are available for the Application in proxy policy. The following table lists different Filter fields for the two protocols and the available object type you can select for each filter field, it also shows whether each filter field support allow, deny, monitor, redirect, replace, hijack and insert action or not. +Only two basic protocols HTTP and DoH are available for the Application in proxy policy. The following table lists different Filter fields for the two protocols and the available object type you can select for each filter field, it also shows whether each filter field support allow, deny, monitor, redirect, replace, hijack and insert action or not. Only two basic protocol HTTP and DoH are available for the Application in proxy policy. The following table lists different Filter fields for the two protocols and the available object type you can select for each filter field, it also shows whether each filter field support allow, deny, monitor, redirect, replace, hijack and insert action or not. @@ -737,13 +754,17 @@ Object type available for Filter: The Evaluation Order for proxy policy is described as following. -Security policy is evaluated in preference to Proxy policy. Proxy manipulation requires targeted sessions are intercepted in security policies. That is to say an intercept security policy is the prerequisite for proxy policy. +Security policy is evaluated in preference to Proxy policy. Proxy manipulation requires targeted sessions are intercepted in security policies. +That is to say, an intercept security policy is a prerequisite for proxy policy. -For proxy policies with allow action, traffic can only hit one policy that meets the defined criteria. After a match is triggered, subsequent rules are not evaluated. Except allow action, proxy policies with other actions can be matched together only with monitor policies. This means traffic can hit a block proxy policy and a monitor proxy policy that meets the defined criteria at the same time. It is important to know the policy evaluation order to create policies accordingly. +For proxy policies with allow action, traffic can only hit one policy that meets the defined criteria. After a match is triggered, subsequent rules are not evaluated. +Except allow action, proxy policies with other actions can be matched together only with monitor policies. +This means traffic can hit a block proxy policy and a monitor proxy policy that meets the defined criteria at the same time. +It is important to know the policy evaluation order to create policies accordingly. -There are three factors in evaluation of policies. They are condition, action and policy ID in sequence. +There are three factors in the evaluation of policies. They are condition, action and policy ID in sequence. \begin{description}[leftmargin=0pt] @@ -760,7 +781,7 @@ There are three factors in evaluation of policies. They are condition, action an \end{description} -For more details about how TSG process packet flow, please see \textbf{\hyperlink{link:Appendix E TSG Packet Flow}{\color{linkblue}{Appendix E TSG Packet Flow}}}. +For more details about how TSG processes packet flow, please see \textbf{\hyperlink{link:Appendix D TSG Packet Flow}{\color{linkblue}{Appendix D TSG Packet Flow}}}. %\pdfbookmark[2]{Create a Proxy Policy Rule}{Create a Proxy Policy Rule} \subsection*{\hypertarget{link:Create a Proxy Policy Rule}{Create a Proxy Policy Rule}} @@ -774,7 +795,7 @@ For more details about how TSG process packet flow, please see \textbf{\hyperlin \item[STEP 4.] Define the matching criteria for the destination fields in the packet. Specify single or multiple \textbf{Destination} IP Addresses or leave the value set to any. - \notemark\textit{As a best practice, use address objects as the Destination Address to enable access to only specific servers or specific groups of servers especially for commonly exploited services, such as DNS and VPN.} + \notemark\textit{As a best practice, use address objects as the Destination Address to enable access to only specific servers or specific groups of servers, especially for commonly exploited services, such as DNS and VPN.} \item[STEP 5.] (\textcolor{gold}{Optional})If the Action is Redirect, specify the \textbf{Application}. \item[STEP 6.] (\textcolor{gold}{Optional}) Specify \textbf{Filters} as match criteria for the rule. For example, select a \textbf{Category} for \textbf{Host}. If you select a category, only web traffic will match the rule and only if the traffic is destined for that specified category. @@ -788,13 +809,15 @@ For more details about how TSG process packet flow, please see \textbf{\hyperlin \item[STEP 10.] Select a \textbf{Schedule} or leave the value set to always. For more details, see \textbf{Policies} > \textbf{\hyperlink{link:Schedules}{\color{linkblue}{Schedules}}}. - \notemark\textit{If you select a schedule, the schedule will determine when the policy will be enabled and effective. This means you don’t have to turn the Enabled switch on. Because the policy will automatically be effective according to your specified schedule. And even if you set the policy Enabled, the policy will not be effective, if it has not reached the schedule time frame.} + \notemark\textit{If you select a schedule, the schedule will determine when the policy will be enabled and effective. This means you don’t have to turn the Enabled switch on. + Because the policy will automatically be effective according to your specified schedule, and even if you set the policy Enabled, + the policy will not be effective if it has not reached the schedule time frame.} \item[STEP 11.] Verify that \textbf{Log Session} is enabled if you wish to have proxy event logs. Only traffic that matches a Proxy policy rule will be logged. - When \textbf{Log Session} is enabled, select one of \textbf{Log Options}, Metadata only or All. If option Metadata only is enabled, only structured logs are recorded for the proxy policy rule. - While option All provides raw log files for some special log fields, such as content of HTTP request header or HTTP response content. For more details of logs, see \textbf{\hyperlink{link:View and Manage Logs}{\color{linkblue}{View and Manage Logs}}}. + When \textbf{Log Session} is enabled, select one of \textbf{Log Options}, Metadata only, or All. If option Metadata only is enabled, only structured logs are recorded for the proxy policy rule. + While option All provides raw log files for some special log fields, such as the HTTP request header or HTTP response content. For more details of logs, see \textbf{\hyperlink{link:View and Manage Logs}{\color{linkblue}{View and Manage Logs}}}. \item[STEP 12.] Verify that \textbf{Enabled} is on if you don’t have a schedule. \item[STEP 13.] Click \textbf{OK} to save the policy rule. - \item[STEP 14.] (\textcolor{gold}{Optional})To verify that you have set up your policies effectively, test whether your Proxy Policy rules are being evaluated and determine which Proxy Policy rule applies to a traffic flow. + \item[STEP 14.] (\textcolor{gold}{Optional})To verify that you have set up your policies effectively, test whether your Proxy Policy rules are being evaluated and determine which rule applies to a traffic flow. \begin{enumerate} \item Select \textbf{Settings} > \textbf{Trouble Shooting} and select \textbf{Policy Verify} tab. \item Select \textbf{Proxy Policy Match} from the \textbf{Select Test} drop-down. @@ -811,13 +834,14 @@ For more details about how TSG process packet flow, please see \textbf{\hyperlin You can view detailed information about the policy you just created. To edit and delete the policy, find the item you want to edit or delete in the list. Click \textbf{Edit} or \textbf{Delete} at the top left. -You can export the contents of policies to a json file. First, search policies according to ID, Name. Then, click the Export icon on the right to download and save the file to your local folder. +You can export the contents of policies to a JSON file. First, search policies according to ID, Name. Then, click the Export icon on the right to download and save the file to your local folder. -You can also import policies by clicking the import icon. Only json and txt formats can be uploaded. You can take the exported file as template for import. +You can also import policies by clicking the import icon. Only JSON and txt formats can be uploaded. You can take the exported file as a template for import. -Select the checkbox for policies in the list and Click \textbf{Watch} at the bottom to add to Watch List. And then you can click the star icon in the bottom right and select Policy tab to view the Watch List. You can search policies by ID and Name in the list. +Select the checkbox for policies in the list and Click \textbf{Watch} at the bottom to add to Watch List. And then, you can click the star icon in the bottom right and + select the Policy tab to view the Watch List. You can search policies by ID and Name in the list. \section*{\hypertarget{link:WAN NAT}{WAN NAT}} \addcontentsline{toc}{section}{WAN NAT} @@ -826,22 +850,27 @@ Select the checkbox for policies in the list and Click \textbf{Watch} at the bot This section describes Network Address Translation (NAT) and how to configure TSG for NAT. -The WAN NAT feature can hide and change the traffic’s source and destination IP address. WAN NAT allows you to not disclose the real IP addresses of hosts that need access to public addresses. +The WAN NAT feature can hide and change the traffic’s source and destination IP address. WAN NAT allows you not to disclose the real IP addresses of hosts +that need access to public addresses. -When an internal real user visits an external service, the traffic will be steered to TSG. And the IP address will be included in TSG’s IP pool, when the real user is disconnected, WAN NAT can disguise as the real user and send request to the external service for its own purposes. Thus, WAN-NAT provides larger address space. It offers a very large IP Pool to help you use Web crawler to gain insight and guide Public Opinion. And WAN NAT can reduce the blocking for web crawler. You can use WAN NAT to create Web Crawler, perform Network scan, effect verification and provide virtual service. TSG supports both source address translation (SNAT) and destination address translation (DNAT). +When a real internal real user visits an external service, the traffic will be steered to TSG. And the IP address will be included in TSG’s IP pool. +When the real user is disconnected, WAN NAT can disguise as the real user and send the request to the external service for its own purposes. +Thus, WAN-NAT provides larger address space. It offers a very large IP Pool to help you use Web crawler to gain insight and guide Public Opinion. +And WAN NAT can reduce the blocking for web crawlers. You can use WAN NAT to create Web Crawler, perform a network scan, effect verification and provide virtual service. +TSG supports both source address translation (SNAT) and destination address translation (DNAT). For SNAT, the source address is translated and thereby kept private. It is used for Web Crawler, Network scan, effect verification. -DNAT is commonly used for virtual service. TSG translates a destination address to a different destination address; for example, if you have a controlled DNS server, you can direct traffic visiting google DNS to the controlled DNS server. +DNAT is offen used for virtual service. TSG translates a destination address to a different destination address; for example, if you have a controlled DNS server, you can direct traffic visiting google DNS to the controlled DNS server. \subsection*{\hypertarget{link:Source NAT}{Source NAT}} \addcontentsline{toc}{subsection}{Source NAT} \label{sec:policies:security:sourcenat} -Source NAT(SNAT) is typically used by internal users to access the Internet; the source address is translated and thereby kept private. +Internal users typically use source NAT(SNAT) to access the Internet; the source address is translated and thereby kept private. Perform the following tasks to configure SNAT: @@ -854,10 +883,12 @@ Perform the following tasks to configure SNAT: \item Add a \textbf{Name} for the IP Pool. \item Specify a \textbf{Color}. \item You can view \textbf{History Active IP} and select IP address from them. - \item Click \textbf{Reachability Test} to verify reachability of the IP address. It is recommended to use IP address which pass the test. + \item Click \textbf{Reachability Test} to verify the reachability of the IP address. It is recommended to use IP address that pass the test. - \notemark\textit{There are 4 results for reachability test. They are reachable, unreachable, unknown, N/A. If all the data packets sent by TSG are received by server, the result is reachable. If all is not received by the server, the result is unreachable. If only parts of the data packets are received by server, the result is unknown. If the server did not respond, the result is N/A.} + \notemark\textit{There are 4 results for the reachability test. They are reachable, unreachable, unknown, N/A. If all the data packets sent by TSG are received by server, + the result is reachable. If the server does not receive all, the result is unreachable. If only parts of the data packets are received by server, the result is unknown. + If the server does not respond, the result is N/A.} \item Add a \textbf{Description}. @@ -876,13 +907,15 @@ Perform the following tasks to configure SNAT: \item Select \textbf{SNAT} Action. \item Select the \textbf{VPN Account} you just created. \item Select the IP Pools you just created. - \item For \textbf{Change Source IP}, if you wish to only translate IP address once, select \textbf{Never}; if you wish to translate IP address by time, select \textbf{By Time} and enter how many seconds change each time; if you wish to translate IP address by connection, select \textbf{By Connections} and enter how many connections change each time. + \item For \textbf{Change Source IP}, if you use a fixed IP, select \textbf{Never}. + If you want to change IP addresses by time, select \textbf{By Time} and enter how many seconds change each time. + If you want to change IP address by connection, select \textbf{By Connections} and enter how often it changes. \item Specify \textbf{Connection Timeout}. \item Add a \textbf{Tag} and \textbf{Description}. \item Verify it is \textbf{Enabled}. \item Click \textbf{OK}. \end{enumerate} - \item[STEP 4.] Verify the translation. Take packet capture from server which shows the Client IP changes. + \item[STEP 4.] Verify the translation. Take packet capture from the server which shows the Client IP changes. \end{description} \subsection*{\hypertarget{link:Destination NAT}{Destination NAT}} @@ -927,7 +960,10 @@ To translate the destination address for all packets on your TSG, as shown in th \addcontentsline{toc}{section}{Schedules} \label{sec:policies:schedules} -Schedules is the time frame that is applied to the policy or report. Schedules allow you to control the time period for which security rules and proxy rules are in effect. This can be something as simple as a time range that the sessions are allowed to start such as between 8:00 am and 5:00 pm. Something more complex like business hours that include a break for lunch and time of the session’s initiation may need assign multiple schedules to a policy because it will require multiple time ranges. You can then apply these schedules to the rules and reports. +A schedule is the time frame that is applied to the policy or report. Schedules allow you to control the time period for which security rules and proxy rules are in effect. +This can be something as simple as a time range that the sessions are allowed to start such as between 8:00 am and 5:00 pm. +Something more complex like business hours that include a break for lunch and time of the session’s initiation may need to assign multiple schedules to a policy +because it will require multiple time ranges. You can then apply these schedules to the rules and reports. Types of Schedules: @@ -939,7 +975,8 @@ Types of Schedules: • One-time: Policy or report is effective once during the specified days and time period. You can apply one-time schedules to control policies or reports related to one-time events. -The schedule page displays the full list of predefined and custom schedules. To view the policies to which a schedule is attached, to apply a schedule to a policy or to change the applied schedule, go to the corresponding policy Edit page. +The schedule page displays the full list of predefined and custom schedules. To view the policies to which a schedule is attached, +go to the corresponding policy Edit page to apply a schedule to a policy or change the applied schedule. \notemark\textit{You cannot delete a schedule that is currently applied to a policy. To do so, you must apply a different schedule to the policy or delete the policy itself.} @@ -964,7 +1001,7 @@ Perform the following to create a schedule. Verify the policy rules in your running configuration to ensure that your policies appropriately allow and deny traffic and access to applications and websites in compliance with your business needs and requirements. -You can test and verify that your policy rules by executing policy match tests for your TSG directly from the web interface. +You can test and verify your policy rules by executing match tests for your TSG directly from the web interface. For example, a Proxy Policy has been defined with ID 4736, Name tsg-test-pxyverify. And the basic information about this policy is listed as following. @@ -989,15 +1026,19 @@ For example, a Proxy Policy has been defined with ID 4736, Name tsg-test-pxyveri \item[STEP 3.] Enter the required information to perform the policy match test. In this example, just run a \textbf{Proxy Policy Match}. \begin{enumerate} \item Select \textbf{Proxy Policy Match} from the Select Test drop-down. - \item Enter the \textbf{Client IP} and \textbf{Server IP} addresses or leave it set to default. If you wish to match your specified policy, enter at least one Client IP that is in Source IP set and enter at least one Server IP that is in Destination IP set. If the Source or Destination is any in your policy, leave the corresponding Client IP or Server IP set to default. Here fill in Client IP 192.168.50.71. + \item Enter the \textbf{Client IP} and \textbf{Server IP} addresses or leave it set to default. If you wish to match your specified policy, + enter at least one Client IP in Source IP set and enter at least one Server IP in the Destination IP set. + If the Source or Destination is any in your policy, leave the corresponding Client IP or Server IP set to default. Here fill in Client IP 192.168.50.71. \item Specify the \textbf{Client Port} and \textbf{Server Port} or leave it set to default. - \item Select the \textbf{Protocol} from Any, TCP and UDP. + \item Select the \textbf{Protocol} from Any, TCP, and UDP. \item Specify \textbf{Subscriber ID} if your specified policy references Subscriber ID object. \item Select \textbf{APP ID} from the Applications side page, and you can search your application by name. Here select HTTP. - \item If you selected one of HTTP, SSL, DNS, MAIL, FTP and QUIC as \textbf{APP ID}, you need to add corresponding additional filter for your policy rule testing. And you need to fill in all the filter fields defined in the policy, but you can add only one item for each field. For example, click plus, and add “www.vip.com” for Host; click plus, and add “microsoft.com” for URL; click plus and add “beer” for Response Header. + \item If you selected HTTP, SSL, DNS, MAIL, FTP, or QUIC as Application, you need to add a corresponding additional filter for your policy rule testing. + it would be best if you filled in all the filter fields defined in the policy, but you can add only one item for each field. + For example, click “+”, and add “www.vip.com” for Host; click “+”, and add “microsoft.com” for URL; click “+” and add “beer” for Response Header. \end{enumerate} \item[STEP 4.] Click \textbf{Verify} to execute the \textbf{Proxy policy match} test. - \item[STEP 5.] Review the \textbf{Policy Match} and \textbf{Object Match} result to see the policy rules. + \item[STEP 5.] Review the \textbf{Policy Match} and \textbf{Object Match} results to see the policy rules. \end{description} -- cgit v1.2.3