StoneGate IPS Installation Guide 4.3

StoneGate Installation Guide

IPS 4.3

Legal Information

End-User License AgreementThe use of the products described in these materials is subject to the then current end-user license agreement, which can be found at the Stonesoft website:www.stonesoft.com/en/support/eula.html

General Terms and Conditions of Support and Maintenance ServicesThe support and maintenance services for the products described in these materials are provided pursuant to the general terms for support and maintenance services and the related service description, which can be found at the Stonesoft website:www.stonesoft.com/en/support/view_support_offering/terms/

Replacement ServiceThe instructions for replacement service can be found at the Stonesoft website:www.stonesoft.com/en/support/view_support_offering/return_material_authorization/

Hardware WarrantyThe appliances described in these materials have a limited hardware warranty. The terms of the hardware warranty can be found at the Stonesoft website:www.stonesoft.com/en/support/view_support_offering/warranty_service/

Trademarks and PatentsThe products described in these materials are protected by one or more of the following European and US patents: European Patent Nos. 1065844, 1259028, 1271283, 1289183, 1289202, 1313290, 1326393, 1379046, 1330095, 131711, 1317937 and 1443729 and US Patent Nos. 6,650,621; 6 856 621; 6,885,633; 6,912,200; 6,996,573; 7,099,284; 7,127,739; 7,130,266; 7,130,305; 7,146,421; 7,162,737, 7,234,166, 7,260,843, 7,280,540 and 7,302,480 and may be protected by other EU, US, or other patents, or pending applications. Stonesoft, the Stonesoft logo and StoneGate, are all trademarks or registered trademarks of Stonesoft Corporation. All other trademarks or registered trademarks are property of their respective owners.

DisclaimerAlthough every precaution has been taken to prepare these materials, THESE MATERIALS ARE PROVIDED "AS-IS" and Stonesoft makes no warranty to the correctness of information and assumes no responsibility for errors, omissions, or resulting damages from the use of the information contained herein. All IP addresses in these materials were chosen at random and are used for illustrative purposes only.

Copyright © 2008 Stonesoft Corporation. All rights reserved. All specifications are subject to change.

Revision: SGIIG_20080609

www.stonesoft.com/en/support/eula.html

www.stonesoft.com/en/support/view_support_offering/warranty_service/index.html

www.stonesoft.com/en/support/view_support_offering/return_material_authorization/index.html

www.stonesoft.com/en/support/view_support_offering/terms/index.html

Table of Contents

GETTING STARTED

CHAPTER 1 Using StoneGate Documentation 9

How to Use This Guide 10

Typographical Conventions 10

Documentation Available 11

Product Documentation 11Support Documentation 12System Requirements 12

Contact Information 12

Licensing Issues 12Technical Support 12Your Comments 12Other Queries 12

CHAPTER 2 Planning StoneGate IPS Installation 13

StoneGate System Architecture 14

Example Network Scenarios 15

Overview to the Installation Procedure 15

Important to Know Before Installation 16

Supported Platforms 16Date and Time Settings 16Hosts File 16Installation Files 16Checking File Integrity 16License Files 17

Checking the Surrounding Network Environment 18

Switch SPAN Ports and Hubs 18Network TAPs 19

INSTALLING THE MANAGEMENT CENTER

CHAPTER 3 Installing the Management Center 23

Installing the Management Center 24

Installing on Linux 24Starting the Installation 25Selecting Basic Installation Options 25Installing a Management Server 28Installing a Log Server 29Installing a Monitoring Server 31Installing a Management Client 31Finishing the Installation 32

Starting the Management Center 33

Starting the Management Server 33Starting the Management Client 33Installing Licenses 34Starting the Log Server and Monitoring Server 37Starting Servers Manually 37If the Log Server or Monitoring Server Fails to

Start 37

Generating Server Certificates 38

Installing Dynamic Updates 39

Non-Graphical Installation 43

CHAPTER 4 Distributing StoneGate Clients Through Web Start 47

Getting Started With Web Start Distribution 48

Distributing Clients from the SMC Servers 48

Distributing Clients from a Separate Server 49

Accessing the Web Start Clients 50

3

CHAPTER 5 Defining Sensors and Analyzers 53

Configuration Overview 54


About Analyzer and Sensor Elements 54

Defining Analyzers 55

Defining the Analyzer Network Interfaces 56Defining Analyzer Physical Interfaces 57Defining Analyzer IP Addresses 58Setting Analyzer Interface Options 59

Defining Sensor Clusters 60

Defining the Sensor Cluster Network Interfaces 61Defining Sensor Cluster Physical Interfaces 62Defining Sensor Cluster VLAN Interfaces 63Defining IP Addresses for Sensor Clusters 64Defining Sensor Cluster Interface Options 64

Defining Single Sensors 65

Defining the Single Sensor Interfaces 66Defining Single Sensor Physical Interfaces 67Defining Single Sensor VLAN Interfaces 67Defining IP Addresses for Single Sensors 68Defining Single Sensor Interface Options 69

Defining Combined Sensor-Analyzers 70

Defining the Sensor-Analyzer Interfaces 71Defining Sensor-Analyzer VLAN Interfaces 71Defining IP Addresses for a Sensor-Analyzer 72Setting Combined Sensor-Analyzer Interface Op-tions 73

Defining Sensor Interfaces 74

Defining Logical Interfaces 74Defining Sensor Capture Interfaces 75Defining Sensor Inline Interfaces 77

Configuring Routing 79

Configuring IP Addressing for NAT 84

Defining Locations 84Engine Contact Addresses 85Server Contact Addresses 89Management Client Location Setting 91

Saving the Initial Configuration 91

INSTALLING SENSORS AND ANA-LYZERS

CHAPTER 6 Installing Sensors and Analyzers 97

Installing the Sensor or Analyzer Engine 98

Checking the File Integrity 98Starting the Installation 98

Configuring the Engine 99

Configuring the Engine Automatically with a USB Stick 99

Starting the Engine Configuration Wizard 100Configuring the Operating System Settings 101Configuring the Network Interfaces 102Contacting the Management Server 104After Successful Management Server Contact 106

Installing in Expert Mode 106

Partitioning the Hard Disk Manually 106Allocating Partitions 107

CHAPTER 7 Installing Policies 111

Installing the System Policy 112

MAINTENANCE

CHAPTER 8 Upgrading And Updating 119

Getting Started with Upgrading StoneGate 120

Configuration Overview 120Checking File Integrity 121

Upgrading or Generating Licenses 122

Generating a New License 122Upgrading Licenses Under One Proof Code 123Upgrading Licenses Under Multiple Proof

Codes 124Installing Licenses 125

Upgrading the Management Center 126

Upgrading Engines Remotely 128

4

Upgrading the Engine 129

Upgrading Engines Locally 131

Upgrading StoneGate IPS 131

Changing IP Addressing 133

Changing the Management Server’s IP Address 133

Changing the Log Server’s IP Address 134Changing IP Addresses if the Management Server

and the Log Server Run on the Same Machine 134

CHAPTER 9 Uninstalling StoneGate 135

Uninstalling the Management Center 136

Uninstalling in Windows 136Uninstalling in Linux 137

Uninstalling the Engines 137

APPENDICES

APPENDIX A Command Line Tools 141

APPENDIX B StoneGate IPS Ports 155

APPENDIX C Example Network Scenario 159

Legal Information 165

Index 181

5

6

Getting Started

CHAPTER 1 Using StoneGate Documentation

Welcome to Stonesoft Corporation’s StoneGate™ IPS Intrusion Detection and Response System for Intelligent Analysis. This chapter describes how to use the StoneGate IPS Installation Guide and lists other available documentation. It also provides directions for obtaining technical support and giving feedback.

The following sections are included:

How to Use This Guide, on page 10 Documentation Available, on page 11 Contact Information, on page 12.

9

How to Use This GuideThis StoneGate IPS Installation Guide is intended for the administrators of a StoneGate system. It describes step by step how to install the StoneGate Management Center and the IPS Sensor and Analyzer engines. The chapters in this guide are organized in the general order you should follow when installing the system.Most tasks are explained using illustrations that include explanations on the steps you need to complete in each corresponding view in your own environment. The explanations that accompany the illustrations are numbered when the illustration contains more than one step for you to perform.

Typographical ConventionsThe following typographical conventions are used throughout the guide:

We use the following ways to indicate important or additional information:

Note – Notes provide important information that may help you complete a task.

Caution – Cautions provide important information that you must take into account before performing an action to prevent critical mistakes.

Tip: Tips provide information that is not crucial, but may still be helpful.

TABLE 1.1 Typographical Conventions

Formatting Informative Uses

Normal text This is normal text.

User Interface textText you see in the User Interface (buttons, menus, etc.) and any other interaction with the user interface are in bold-face.

References, termsCross-references and first use of acronyms and terms are in italics.

Command lineFile names, directories, and text displayed on the screen are monospaced.

User input User input on screen is in monospaced bold-face.

Command parametersCommand parameter names are in monospaced italics.

10 Chapter 1: Using StoneGate Documentation

Documentation Avai lableStoneGate technical documentation is divided into two main categories: Product Documentation and Support Documentation. StoneGate Firewall/VPN and StoneGate IPS have their separate sets of manuals, despite the fact that they are managed through the same user interface. Only the Administrator’s Guide and the Online Help system cover both the Firewall/VPN and IPS products.

Product DocumentationThe table below lists the available product documentation.

PDF versions of the guides are available on the Management Center CD-ROM and at http://www.stonesoft.com/support/.

TABLE 1.2 Product Documentation

Guide Description

Reference Guide

Explains the operation and features of StoneGate comprehensively. Demonstrates the general workflow and provides example scenarios for each feature area. Available for StoneGate Firewall/VPN and StoneGate IPS.

Installation GuideInstructions for planning, installing, and upgrading a StoneGate system. Available for StoneGate Firewall/VPN and StoneGate IPS.

Online Help

Detailed instructions for the configuration and use of StoneGate. Accessible through the Help menu and by using the Help button or the F1 key in any window or dialog. Available in the StoneGate Management Client and the StoneGate Monitoring Client. An HTML-based system is available in the StoneGate SSL VPN Administrator through help links and icons.

Administrator’s Guide

Describes how to configure and manage a StoneGate system step-by-step. Available as a combined guide for both StoneGate Firewall/VPN and StoneGate IPS, and as separate guides for StoneGate SSL VPN and StonGate IPsec VPN Client.

User’s GuideInstructions for end-users. Available for the StoneGate IPsec VPN Client and the StoneGate Monitoring Client.

Appliance Installation GuideInstructions for physically installing and maintaining StoneGate appliances (rack mounting, cabling etc.). Available for all StoneGate hardware appliances.

Documentation Available 11

http://www.stonesoft.com/support/

Support DocumentationThe StoneGate support documentation provides additional and late-breaking technical information. These technical documents support the StoneGate Guide books, for example, by giving further examples on specific configuration scenarios.The latest StoneGate technical documentation is available on the Stonesoft website at http://www.stonesoft.com/support/.

System RequirementsThe system requirements for running StoneGate, including the approved network interfaces, supported operating systems, and other such hardware and software requirements for StoneGate engines and the Management Center can be found at http://www.stonesoft.com/en/products_and_solutions/products/ips/Certified_Servers/ (see the technical requirements section at the bottom of the page).The hardware and software requirements for the version of StoneGate you are running can also be found in the Release Notes included on the Management Center CD-ROM and on the software download page at the Stonesoft website.

Contact InformationFor street addresses, phone numbers, and general information about StoneGate and Stonesoft Corporation, visit our website at http://www.stonesoft.com/.

Licensing IssuesYou can view your current licenses at the License Center section of the Stonesoft website at https://my.stonesoft.com/managelicense.do.For license-related queries, e-mail [email protected].

Technical SupportStonesoft offers global technical support services for Stonesoft’s product families. For more information on technical support, visit the Support section at the Stonesoft website at http://www.stonesoft.com/support/.

Your CommentsWe want to make our products fulfill your needs as well as possible. We are always pleased to receive any suggestions you may have for improvements.• To comment on software and hardware products, e-mail [email protected].• To comment on the documentation, e-mail [email protected].

Other QueriesFor queries regarding other matters, e-mail [email protected].

12 Chapter 1: Using StoneGate Documentation


http://www.stonesoft.com

https://my.stonesoft.com/managelicense.do

mailto:[email protected]





http://www.stonesoft.com/en/products_and_solutions/products/ips/Certified_Servers/

http://www.stonesoft.com/en/products_and_solutions/products/ips/Certified_Servers/

CHAPTER 2 Planning StoneGate IPS Installation

This chapter provides important information to take into account before the installation can begin, including an overview to the installation and information on obtaining the installation and license files.


StoneGate System Architecture, on page 14 Example Network Scenarios, on page 15 Overview to the Installation Procedure, on page 15 Important to Know Before Installation, on page 16 Checking the Surrounding Network Environment, on page 18

13

StoneGate System ArchitectureA StoneGate system consists of the Management Center, Management Client(s), and one or more engines.

Illustration 2.1 StoneGate System Components

The Management Center consists of the following standard components:• the Management Server• one or more Log ServersThe Management Client is the graphical user interface used for configuring, managing and monitoring the entire StoneGate system. You can have one or several Management Clients.Optionally, and for a separate license fee, you can also have:• one or more backup Management Servers in addition to the active Management

Server• one or more Monitoring Servers for Monitoring Clients• one or more Monitoring Clients (used for limited log browsing).The Management Center components can be installed separately on different machines or on the same machine, depending on your requirements.The Management Center can manage several IPS Sensors and Analyzers (and StoneGate firewalls). The StoneGate IPS Sensors and Analyzers can be distributed as follows:• a combined Sensor-Analyzer with these two components on a single machine.• a single node Sensor.• a Sensor cluster which consists of 2 to 16 machines with Sensors called cluster

nodes or nodes for short.

14 Chapter 2: Planning StoneGate IPS Installation

• an Analyzer, which is required for the Sensors.More background information can be found in the Reference Guide.

Example Network ScenariosTo get a better understanding of how StoneGate fits into a network, you can consult the Example Network Scenarios that show you one way to deploy StoneGate. See Example Network Scenario, on page 159.

Overview to the Instal lation ProcedureThe installation proceeds as follows:1. Plan the installation of the StoneGate IPS Sensors, Analyzers, and the

Management Center as explained in this chapter.2. Check that you have the necessary installation and license files. Each

Management Server, Log Server, Monitoring Server (optional), Sensor and Analyzer must have its own license, although all the licenses can be stored together in a single .jar file.

3. Check the integrity of the StoneGate IPS installation files using the file checksums as explained in this chapter.

4. Check the surrounding network environment as explained in this chapter.5. Install and configure the Management Center and the Management Client. See

Installing the Management Center, on page 23.6. Define the Sensor and Analyzer elements and other necessary elements in the

Management Client. See Defining Sensors and Analyzers, on page 53.7. Generate the initial configuration for the Sensors and Analyzers. See Saving the

Initial Configuration, on page 91.8. Install and configure the Sensors and Analyzers. See Installing Sensors and

Analyzers, on page 97.9. Install the IPS Policy. See Installing Policies, on page 111.10.Test that the installed system operates as planned.The chapters in this guide are organized in the order outlined above.

Example Network Scenarios 15

Important to Know Before Instal lationBefore you start the installation, you need to carefully plan the site that you are going to install. Consult the Reference Guide if you need more detailed background information on the operation of StoneGate than what is offered in this chapter.

Supported PlatformsThe Release Notes list the basic requirements for StoneGate installation. For information on supported and certified hardware, see Hardware Requirements available at http://www.stonesoft.com/.

Date and Time SettingsMake sure that the Date, Time, and Time zone settings are correct on any computer you will use as a platform for any Management Center component, including the workstations used for remote management (Management Client). The time settings of the engines do not need to be adjusted, as they are automatically synchronized to the Management Server’s time setting. For this operation, the time is converted to UTC time according to the Management Server’s time zone setting.

Hosts FileDue to a restriction of the Java platform, the Management Server and Log Server hostnames must be resolvable on the computer running the Management Client (even if running on the same computer as the servers) to ensure good performance.To ensure that the hostnames can be resolved, you can add the IP address-hostname pairs into the local hosts file on the client computer:• In Linux: /etc/hosts• In Windows: \WINNT\system32\drivers\etc\hosts

Installation FilesStoneGate hardware appliances have pre-installed software. If you wish to upgrade to a new version, use the remote upgrade feature after the IPS is fully configured.On other systems, the software is installed from CD-ROMs:• Depending on your order, you may have received ready-made Management Center

and the IPS engine CD-ROMs.• Otherwise, download CD-ROM .iso image files from the Stonesoft website at

https://my.stonesoft.com/download/ and create the installation CD-ROMs from those.

Checking File IntegrityBefore installing StoneGate, check that the installation files have not become corrupt. Using corrupted files may cause problems at any stage of the installation and use of the system. File integrity is checked using the MD5 or SHA-1 file checksums. The


http://www.stonesoft.com/

https://my.stonesoft.com/download/

checksums can be found on the StoneGate IPS installation CD-ROM and from the product-specific download page at the Stonesoft website.Windows does not have MD5 or SHA-1 checksum tools by default, but there are several third-party programs available.

To check MD5 or SHA-1 file checksum1. Look up the correct checksum from Stonesoft website at http://

www.stonesoft.com/download/.2. Change to the directory that contains the file(s) to be checked.3. Generate a checksum of the file using the command md5sum filename or

sha1sum filename, where filename is the name of the installation file.

Illustration 2.2 Checking the File Checksums

4. Compare the displayed output to the checksum on the website.

Caution – Do not use files that have invalid checksums.

License FilesYou must generate license files and install them on the Management Server using the Management Client before you can bring your system fully operational. Each Management Server, Log Server, Monitoring Server (optional), Sensor and Analyzer must have its own license, although all the licenses can be stored together in a single license .jar file.You generate the licenses at the Stonesoft website based on your proof-of-license (for software, included in the order confirmation message sent by Stonesoft) or proof-of-serial number (for appliances, printed on a label attached to the appliance hardware). Evaluation licenses are also available at the website.There are two types of licenses that you can generate:• IP-address-bound licenses: For all Management Center components and optionally

engines with non-dynamic control IP addresses. If you want to change the IP address the license is bound to, you need to fill in a request at the licensing website. For engine components, the IP address must be the Primary Control IP Address (the one that is used for communications with the Management Server).

• Management-bound licenses: For firewall and IPS engines (bound to the proof-of-license of the Management Server). Management-bound licenses allow you to change the IP addressing of an engine without generating a new license, and they

$ md5sum sg_engine_1.0.0.1000.iso869aecd7dc39321aa2e0cfaf7fafdb8f sg_engine_1.0.0.1000.iso

Important to Know Before Installation 17

http://www.stonesoft.com/download/


can be switched from one engine to another if you delete or re-license the engine to which it is bound.

To generate a new license1. Go to the License Center at www.stonesoft.com/license/.2. Enter the required code (proof-of-license or proof-of-serial number) to the correct

field and click Submit. The license page opens.3. Click Register. The license generation page opens.4. Read the directions on the page and fill in the required fields.5. Enter the IP addresses of the Management Center components you want to use.

Note – All IP-address-bound licenses are bound to the IP address you give, and you must return to the licensing page if you need to change the IP address. The IP address must match the IP address configuration of the server.

6. Enter the Management Server’s proof-of-license code or the engine’s IP address for the engines you want to license.

7. Click Submit Request. The license file is sent to you in a moment. It will also become available for download at the license page.

All licenses include a maximum version on which they are valid. You may need to upgrade the licenses when you upgrade to a new major release of the software. Software upgrades are included in support contracts. You can either upgrade the licenses at the Stonesoft website or configure in the Management Client that the licenses are upgraded and installed automatically. See the Online Help for more information.

Checking the Surrounding Network Environment

StoneGate IPS can be connected to a switch SPAN port, a network TAP, or a hub to capture network traffic. The considerations for these connection methods are explained below. Additionally, the IPS Sensor can be installed in-line, so that the network traffic is routed through the Sensor, allowing active blocking of any connection.For more specific information on compatibility of different network devices and StoneGate IPS, refer to the Stonesoft website at http://www.stonesoft.com/support/.

Switch SPAN Ports and HubsA Switched Port Analyzer (SPAN) port is used for capturing network traffic to a defined port on a switch. This is also known as port mirroring. The capturing is done passively, so it does not interfere with the traffic. With a hub, no special configuration such as a SPAN port is needed as all the traffic going through the hub is directed to all ports.


www.stonesoft.com/license/


A StoneGate IPS capturing interface can be connected directly to a SPAN port of a switch. Then, all the traffic to be monitored must be copied to this SPAN port. The SPAN mode capturing interface is also used when connecting the capture interface to a hub, although using a hub might not be suitable because of network performance reasons.

Network TAPsA Test Access Port (TAP) is a passive device located at the network wire between network devices. The capturing is done passively, so it does not interfere with the traffic. With a network TAP, the two directions of the network traffic is divided to separate wires. For this reason, StoneGate IPS needs two capturing interfaces for a network TAP; one capture interface for each direction of the traffic. The two related capturing interfaces are handled in StoneGate IPS as one logical interface that combines the traffic of these two interfaces for inspection.

Checking the Surrounding Network Environment 19


Installing the Management Center

CHAPTER 3 Installing the Management Center

This chapter instructs how to install the StoneGate Management Center components on Windows and Linux platforms.


Installing the Management Center, on page 24 Starting the Management Center, on page 33 Generating Server Certificates, on page 38 Installing Dynamic Updates, on page 39 Non-Graphical Installation, on page 43

23

Instal l ing the Management CenterThe Management Server contains the configuration information for your system and controls the Sensors and Analyzers. Place the server in a secure location.Log in to the system where you are installing the Management Center with the correct administrative rights. In Windows, you must log in with administrator rights. In Linux you must log in as root.To install the software, you need the Management Center CD-ROM (see Installation Files, on page 16). None of the components can be started without a valid license file for each component (see License Files, on page 17). Before installing StoneGate, check the installation package integrity using the MD5 or SHA-1 file checksums as explained in Checking File Integrity, on page 16.The remote Management Clients can be installed using the Installation Wizard as described in this section or they can be made available through Java Web Start (Distributing StoneGate Clients Through Web Start, on page 47), which eliminates the need to update all Management Clients individually at each version upgrade.

Caution – The supported operating system platforms for running the Management Center version you are using are listed in the Release Notes for that version. Note that not all language versions of Windows are supported.

Installing on LinuxThe installation creates sgadmin user and group accounts. All the shell scripts are owned by sgadmin and can be executed either by root or the sgadmin user. The shell scripts are executed with sgadmin privileges. After the installation, the sgadmin account is disabled. The sgadmin account is deleted at uninstallation.If the CD-ROM is not automatically mounted, mount the CD-ROM in Linux with “mount /dev/cdrom /mnt/cdrom”.This section guides you through a Management Center installation in a graphical user interface. For command line installation, see Non-Graphical Installation, on page 43.

24 Chapter 3: Installing the Management Center

Starting the Installation

Caution – Do not attempt to install the Management Center on a StoneGate Firewall/VPN appliance. This must not be done, as all StoneGate appliances have pre-installed software.

To start the Installation Wizard1. Insert the StoneGate installation CD-ROM and run the setup executable:

• On Windows, run CD-ROM\StoneGate_SW_Installer\Windows\install.exe• On Linux, run CD-ROM/StoneGate_SW_Installer/Linux/setup.sh

2. Wait for the Installation Wizard to start. First, the Java Runtime Environment (JRE) is installed for StoneGate, so this may take a while.

3. When the Installation Wizard shows the Introduction screen, click Next to start the installation. The License Agreement appears.

Selecting Basic Installation Options

To select installation options

Illustration 3.1 License Agreement

1. You must accept the license agreement to continue.

You can click Cancel to stop the installation at any time.

You can click Previous at any time to go back

2. Click Next.


To select the installation directory

Illustration 3.2 Select Installation Directory

Note – If you are going to install any of the server components as a service (so that they start automatically at operating system startup), you must define a directory path that does not contain spaces.

To select where shortcuts are created

Illustration 3.3 Select Shortcuts Directory

1. (Optional) To change the installation directory, enter a new location, or click Select to browse

2. Click Next.

1. (Optional) Change the location where you want to create shortcut icons. Shortcuts can be used to manually start components and to run some maintenance tasks.

2. Click Next.


To select which components to install

Illustration 3.4 Select StoneGate Components to Be Installed

To select components for the custom installation

Illustration 3.5 Select Installation Set

Note – Make sure you have a license for the Monitoring Server before installing it. The Monitoring Server is an optional component and is not included in the StoneGate Management Center license.

The installation proceeds in the following order according to the components you have chosen for the installation:• Installing a Management Server, on page 28• Installing a Log Server, on page 29• Installing a Monitoring Server, on page 31• Installing a Management Client, on page 31• Finishing the Installation, on page 32

Default choice Typical installs all mandatory Management Center components.

Select Custom to select components to install individually.

Management Client Only installation is meant for administrators’ workstations.

Click Next after making your choice.

1. Select the components that you want to install.

Custom Installation only

2. Click Next.


Installing a Management Server

To create the first administrator account

Illustration 3.6 Create a Superuser Account

Note – The account you add here is the only account that can be used to log in to the StoneGate Management Center after the installation has finished.

To configure the Management Server properties

Illustration 3.7 Configure Management Server

1. Type in a user name. This is a special unrestricted administrator account that cannot be deleted or modified.

2. Type in the same password in both fields.

3. Click Next.

1. Enter Management Server’s IP address. The Management Server’s license must be tied to this IP address.

2. Enter IP address for the Log Server that handles any alerts generated by this Management Server.

3. Click Next.

A service automatically starts at operating system start-up.

If you want to install the Management Server as a secondaryManagement Server, see the Administrator’s Guide or the Online Help of the Management Client for detailed instructions.


Note – The user name for the Management Database is dba. The password is created randomly, but you can change it using the Management Client if needed.

Proceed to Installing a Log Server, on page 29.

Installing a Log ServerIf you are not installing a Log Server, skip to the first relevant section below:• Installing a Monitoring Server, on page 31• Installing a Management Client, on page 31• Finishing the Installation, on page 32

To configure the Log Server properties

Illustration 3.8 Configure Log Server

Note – If you need to change the port number, check that the Log Server element properties reflect this in the Management Client after the installation is complete.

1. Type in the IP address. The Log Server’s license must be tied to this IP address.

3. (Optional) Select to establish trust with a Management Server. A running Management Server is required, unless installed at the same time.

A service automatically starts at operating system start-up.

2. Type in the IP address of the Management Server that controls this server.

4. Click Next.


To select a log storage location

Illustration 3.9 Select Destination for Log Files

If you are installing a Monitoring Server, continue to Installing a Monitoring Server, on page 31. Otherwise, proceed to Installing a Management Client, on page 31.

1. (Optional) Type in the active storage directory for logs or click Select to browse.

2. Click Next.


Installing a Monitoring ServerIf you are not installing a Monitoring Server, skip to the first relevant section below:• Installing a Management Client, on page 31• Finishing the Installation, on page 32

Note – Make sure you have a license for the Monitoring Server before installing it. The Monitoring Server is an optional component and is not included in the StoneGate Management Center license.

We recommend placing the Monitoring Server in a DMZ network.

To configure the Monitoring Server properties

Illustration 3.10 Configure Monitoring Server

Continue to Finishing the Installation, on page 32.

Installing a Management ClientThe Management Client has no configurable parameters. Proceed to Finishing the Installation, on page 32.

Note – The Management Client needs to connect to the Management Server and to Log Servers. See StoneGate IPS Ports, on page 155 for a list of the ports used.

1. Type in the IP address. The Monitoring Server’s license must be tied to this IP address.

A service automatically starts at operating system startup.

Custom Installation only

2. Type in the IP address for the Management Server that controls this server.

3. (Optional) Select to establish trust with a Management Server. A running Management Server is required, unless installed at the same time.

4. Click Next.


Finishing the Installation

Caution – If you are installing any server components as a service on a Windows system, make sure the Services window is closed before you proceed.

To start the installation

Illustration 3.11 Pre-installation Summary

Depending on the options you selected, you may soon be prompted to generate certificates. If this happens, see Generating Server Certificates, on page 38.

To finish the Installation Wizard

Illustration 3.12 Install Complete

1. Check the displayed information.

2. Click Install to install the selected components now or click Previous to make changes.

Click Done to close the installer.


Note – If any Log Server or Monitoring Server certificate was not retrieved during the installation, a certificate must be retrieved manually before the server can be started (see If the Log Server or Monitoring Server Fails to Start, on page 37).

Proceed to Starting the Management Center.

Starting the Management CenterWhen starting the Management Center for the first time, the following steps must be completed (as instructed in the sections that follow):1. Start the Management Server.2. Log in using the Management Client.3. Install license files using the Management Client.4. Start the Log Server.5. If you have installed a Monitoring Server, start it.Proceed to Starting the Management Server.

Starting the Management ServerIf the Management Server has been installed as a service, the server is started automatically after the installation and during the operating system boot process.• In Windows, the StoneGate Management Server service can be started and

stopped manually in the Services window, which can be found in the Windows Control Panel under the Administrative Tools category.

• If the service has started, proceed to Starting the Management Client.Otherwise, the Management Server must be started manually:

To start the Management Server manually• In Windows, use the shortcut icon in the location you selected during installation

(default: Start→Programs →StoneGate→Management Server) or run the script <installation directory>/bin/sgStartMgtSrv.bat.

• In Linux, run the script <installation directory>/bin/sgStartMgtSrv.sh.

Starting the Management ClientAdministrators use StoneGate’s graphical user interface, the Management Client, to connect to the Management Server (remotely or locally) to configure the Sensors, Analyzers, or any other feature of StoneGate.

To start the Management Client• In Windows, use the shortcut icon in the location you selected during

installation (default: Start→Programs→StoneGate→Administration Client) or run the script <installation directory>/bin/sgClient.bat.

• In Linux, run the script <installation directory>/bin/sgClient.sh. A graphical environment is needed for the Management Client.


Illustration 3.13 Management Client Login

You can access the Online Help system in the Login window or any other window in the Management Client by pressing the F1 key on your keyboard.The Accept Certificate dialog is displayed when the Management Client contacts any Management Server for the first time.

Illustration 3.14 Accept Certificate

To check the fingerprint of the Certificate Authority on the Management Server:• In Windows, use the shortcut icon in the location you selected during installation

(default: Start→Programs→StoneGate→Show Fingerprint) or run the script <installation directory>/bin/sgShowFingerPrint.bat.

• In Linux, run the script <installation directory>/bin/sgShowFingerPrint.sh on the Management Server.

If the fingerprint matches, click Accept CertificateWhen you accept the certificate, the Management Client opens the Monitoring window. Proceed as instructed in the next section.

Installing LicensesTo have a working system, you must have a license for all StoneGate server and engine components. Each Management Server, Log Server, Monitoring Server

1. Type in the user name and password for the Administrator you defined during Management Server installation.

2. Type in the Management Server’s address.

3. Leave this option selected if you want the Management Client to add the Management Server’s address permanently in the Server Address list.

4. Click Login.

As a precaution, you can ensure that the communication really is with your Management Server by checking the Certificate Authority fingerprint as explained below.


(optional), Sensor and Analyzer must have its own license, although all the licenses can be stored in one .jar file.If you have not generated all license files yet, see License Files, on page 17. To import licenses, the license files must be available to the computer you use to run the Management Client. All licenses can be installed even though you have not yet defined all the elements the licenses will be bound to.

To install StoneGate licensesWhen there is no valid Management Server license, a license information message is shown every time you log in using the Management Client.

Illustration 3.15 License Information Message

The message is displayed only when there is no valid license for the Management Server. Otherwise, open the Install License File(s) dialog as shown in Illustration 3.16.

Illustration 3.16 Opening the Install License File(s) Dialog

If you already have the licenses, click Continue. The Install License file(s) dialog (Illustration 3.17) opens automatically.

If you do not have the licenses yet, generate them on the Stonesoft website http://www.stonesoft.com/license and then click Continue.

1. Open the File menu (the number of items in the menu may vary).

2. Select System Tools→Install Licenses.The Install License File(s) dialog opens.


http://www.stonesoft.com/license

http://www.stonesoft.com/license

Illustration 3.17 Install License File(s) (Operating System-Specific Dialog)

To check that the licenses were imported correctly

Illustration 3.18 Checking License Import

Illustration 3.19 Checking Licenses

Note – Management-bound engine licenses are manually bound to the correct engines once you have configured the engine elements. In the All Licenses list, you should see one license for each Management Server, Log Server, Monitoring Server, Sensor and Analyzer in your StoneGate system.

Proceed to the next section, Starting the Log Server and Monitoring Server.

1. Browse to the correct folder.2. Select one or more license files you want to import.

3. Click Install.

Click the Configuration button in the toolbar. The Configuration view opens.

1. Expand the Administration branch of the tree.

2. Select Licenses and click All Licenses in the list.


Starting the Log Server and Monitoring ServerIf the Log Server and the (optional) Monitoring Server have been installed as a service, the servers are started automatically during the operating system boot process. However, as the servers did not have a license when the operating system was rebooted, you may need to start them now as explained here.• In Windows, you can start or stop a Log Server or Monitoring Server installed as a

service manually in the Services window, which can be found in the Windows Control Panel under the Administrative Tools category.

• In other cases, you can start the Log Server or Monitoring Server manually as explained in Starting Servers Manually, on page 37.

• If you have problems starting a Log Server or Monitoring Server, see If the Log Server or Monitoring Server Fails to Start, on page 37.

Once you have started the servers successfully, proceed to Installing Dynamic Updates, on page 39.

Starting Servers ManuallyTo start the Log Server or Monitoring Server manually, run the scripts in a console window, which will display information on the progress. Closing the console will stop the service.

To start the Log Server and Monitoring Server manually1. Start the Log Server:

• In Windows, use the shortcut icon in the location you selected during installation (default: Start→Programs →StoneGate→Log Server) or run the script <installation directory>/bin/sgStartLogSrv.bat.

• In Linux, run the <installation directory>/bin/sgStartLogSrv.sh script.2. If you have a Monitoring Server, start it in the same way:

• In Windows, use the shortcut icon in the location you selected during installation (default: Start→Programs →StoneGate→Monitoring Server) or run the script <installation directory>/bin/sgStartMonitoringServer.bat.

• In Linux, run the script <installation directory>/bin/sgStartMonitoringServer.sh.

Next, continue as follows:• If you have started all servers successfully, proceed to Installing Dynamic Updates,

on page 39.• If you have trouble starting the server, see If the Log Server or Monitoring Server

Fails to Start, on page 37.

If the Log Server or Monitoring Server Fails to StartIf the Log Server or Monitoring Server does not start automatically as a service, first try starting it manually as explained in the previous section above to see if there is some error displayed on the console.


• Remember that your Log Server or Monitoring Server must be licensed, and the license must be for the IP address in use. The license is a file you import to the system to verify the legal purchase of the software. The licenses can be obtained through the Stonesoft license center on the Web (or from Stonesoft Order Services). To generate a license file, see License Files, on page 17.

• The Log Server or Monitoring Server must also have a valid certificate, which it uses to prove its identity to the Management Server when the two servers communicate. The certificates are generated within the system itself. If there are certificate-related problems or problems you are not able to identify, try (re)generating the certificate manually as follows:

To manually certify a Server• In Windows, run the <installation directory>/bin/sgCertifyLogSrv.bat or

the <installation directory>/bin/sgCertifyMonitoringServer.bat script depending on server type.

• In Linux, run the <installation directory>/bin/sgCertifyLogSrv.sh or the <installation directory>/bin/sgCertifyMonitoringServer.sh script depending on server type.

Proceed as explained in Generating Server Certificates, on page 38, then try starting the servers again.

Generating Server Certif icatesNote – If the Management Server is not running, see Starting the Management Server, on page 33.

To generate a certificate for a StoneGate server

Illustration 3.20 Certificate Generation

Enter the username and password for the account you created during the Management Server installation.“Superuser” refers to the administrator privilege level. Administrators with other privilege levels are not allowed to generate certificates.


Illustration 3.21 Accept Certificate

To check the fingerprint of the Certificate Authority1. Run the script <installation directory>/bin/sgShowFingerPrint[.bat/

.sh] on the Management Server.2. If the fingerprint matches, click Accept in the dialog. The Log Server Selection

or Monitoring Server Selection dialog opens.

To certify a Log Server or Monitoring Server

Illustration 3.22 Log Server Selection

Instal l ing Dynamic UpdatesThe dynamic update packages provide the latest system policies and vulnerability and exploit information for intrusion detection. They may revise the Inspection rules in the System template and the default elements you use to configure the system.

As a precaution, you can ensure that the communication really is with your Management Server by checking the Certificate Authority fingerprint as explained below.

Click Accept to accept the certificate.

If not listed above, select Create a New Log Server (or Monitoring Server) and type in a name. The name will be used in the Management Client.

If your server is on the list, select it.

2. Click OK.

1. Specify the server you want certified.


During the installation, the update package included on the installation CD-ROM was imported and activated. However, since update packages are released more frequently than new software versions, you should still check which update package is active in the system and whether a newer one is available to ensure your system is current.

Note – You can configure the Management Center to periodically check if new update packages are available. You can also configure automatic download and activation of new update packages. See the Online Help for more information.

To find the dynamic updates in the Management Client

Illustration 3.23 Checking for Updates

Illustration 3.24 Checking the Installed/Active Update Package

Note – Dynamic updates with the state Imported are not activated yet. You must activate imported dynamic update packages for them have to have an effect in the system.

To check for the most recent dynamic update1. Go to www.stonesoft.com/download/ and follow the link to dynamic updates.2. If the download page shows that a more recent update is available, download

the latest .jar update package file. If you already have the most recent update package, do one of the following:• If the update package is in the Imported state, see To activate an update

package, on page 42,


1. Expand the Administration branch.

3. Select Updates.

4. Check the update package number and state.

2. Expand the Updates and Upgrades branch.



• If the update package is shown as Active, the most recent update package has already been activated and no action is needed at this time.

3. Save the update package file to a location reachable from the computer you use to run the Management Client.

4. Check that the update package file has not become corrupted during file transfer(s). Compare the file checksum according to the same procedure as with the installation files (see Checking File Integrity, on page 16).

To import a new update package

Illustration 3.25 Importing an Update Package

Illustration 3.26 StoneGate Update Package File Browser (Operating System-Specific)

In a while, the new update package appears in the system. Now you must activate it as instructed in the next section.

Click the Tools icon to open a Update Packages menu and select Import Update Packages from the menu. A File Browser dialog opens.

1. Browse to the correct file and select it.

2. Click Import. The dialog closes and a status bar displays the progress.


To activate an update package

Illustration 3.27 Activating and Update Package

Illustration 3.28 Management Server Backup Dialog

Note – Once you have configured your system, taking a backup at this point allows you to quickly revert back to a previous configuration. This may be necessary because changes in system elements may cause the inspection rules to match traffic in a way you do not want, and you may need some time to redesign them.

The update package activation starts. The dialog may seem to pause occasionally while the information is processed. The included items are shown in the dialog so that you can view them after the activation is complete.

1. Right-click the new update package.

2. Select Activate from the menu. A confirmation dialog opens.

If you have a fresh installation, select No. Otherwise, we recommend that you always take a backup (click Help in the backup dialog to see instructions on how to use the options if you choose to take a backup now).


Illustration 3.29 Update Package Activation

If you want to install Management or Monitoring clients through Web Start, continue by Distributing StoneGate Clients Through Web Start, on page 47. Otherwise, proceed to the next chapter, Defining Sensors and Analyzers, on page 53.

Non-Graphical Instal lationIn Linux, the Management Center can also be installed on the command line. Before installing StoneGate, check the installation package integrity using the MD5 or SHA-1 file checksums as explained in Checking File Integrity, on page 16.

To run the non-graphical installation1. Open the shell.2. Change to the directory CD-ROM/StoneGate_SW_Installer/Linux/3. Run the command “./setup.sh -nodisplay” to start the installation.

Illustration 3.30 Accepting the License Agreement

4. Accept the license agreement by typing “Y”.5. After the license agreement display, you are prompted for the installation

directory.6. Press ENTER to install to the default installation directory or define a different

directory. Confirm it by typing in “Y”.

Close the tab when the activation is finished.

DO YOU ACCEPT THE TERMS OF THE LICENSE AGREEMENT? (Y/N)


Illustration 3.31 Choosing the Link Location

7. Press ENTER to create the StoneGate links in the default directory or select one of the other options.

Illustration 3.32 Choosing the Installation Options

8. Select the StoneGate components you want to install. • Press ENTER to install all Management Center components except the

Monitoring Server.• Press 2 to install only the Management Client.• Press 3 for a customized installation.

Note – You need a graphical environment to use the Management Client. It cannot be run on the command line. Only the server components can be run in a command- line-only environment.

The installation options for the Management Center components are the same as in the graphical installation. Proceed as follows:• To install a Management Server, see Installing a Management Server, on page 28.• To install a Log Server, see Installing a Log Server, on page 29.• To install a Monitoring Server, see Installing a Monitoring Server, on page 31

Choose Link Location-------------Where would you like to create links?

->1 - Default:/StoneGate2 - In your home folder3 - Choose another location...

4 - Don’t create links

ENTER THE NUMBER OF AN OPTION ABOVE, OR PRESS <ENTER> TO ACCEPT THE DEFAULT: 1

Choose StoneGate Components-----------------

Please choose the Install Set to be installed by this installer.

->1 - Typical2- Administration Client Only3- Customize...

ENTER THE NUMBER FOR THE INSTALL SET, OR PRESS <ENTER> TO ACCEPT THE DEFAULT : 1


• To install a Management Client, see Installing a Management Client, on page 31.• After installing all components, continue to Finishing the Installation, on page 32.



CHAPTER 4 Distributing StoneGate Clients Through Web Start

The Management Client and Monitoring Client components can be distributed through Web Start. This eliminates the need for each administrator to upgrade their client(s) when the SMC is upgraded to a new version (the version of the client must always match to the version of the respective server).


Getting Started With Web Start Distribution, on page 48 Distributing Clients from the SMC Servers, on page 48 Distributing Clients from a Separate Server, on page 49 Accessing the Web Start Clients, on page 50

47

Getting Started With Web Start Distr ibutionDistributing Management Clients or Monitoring Clients through Web Start allows users to log in to the Management Client or Monitoring Client through a Web browser at the address that the Management Server and the Monitoring Server use.Management Clients and Monitoring Clients distributed with Web Start have the same set of features as clients installed with the installation wizard. The only differences are in the installation and update process. When the Management Center is upgraded, the Web Start files are also updated, and Web Start automatically downloads the updated version when the user logs in.There are two ways to configure Web Start access. You can activate an internal Web server on the Management Server and the Monitoring Server (the server distributes only Web Start clients). Alternatively, you can copy the files to a separate Web server and run a script that creates the configuration files for running the application.Begin by Distributing Clients from the SMC Servers, on page 48 or Distributing Clients from a Separate Server, on page 49.

Distributing Clients from the SMC ServersWhen you install the Management Server and the Monitoring Server, the files needed for distributing the Management Clients and Monitoring Clients are included in the installation. You can simply enable Web Start access to these files on the Management Server and the Monitoring Server.

To enable a Web Start server1. Right-click the Management Server or Monitoring Server element that you want

to use as a Web Start server and select Properties. The Properties dialog for the element opens.

2. Switch to the Web Start Server tab.

Illustration 4.1 Web Start Server Properties

3. Select Enable. The Web Start server options are enabled.4. (Optional) Enter the Host Name that the Web Start server uses.5. (Optional) Enter the (TCP) Port Number that the Web Start Server uses in the

Port Number field. By default, the standard HTTP port 80 is used.

48 Chapter 4: Distributing StoneGate Clients Through Web Start

• If both the Monitoring Server and Management Server run on the same server, and the server only has a single IP address, you must set the two Web Start servers to run on different ports.

Note – Make sure the port is not used by other listening services on the server. For ports reserved for StoneGate services, see StoneGate-Specific Ports, on page 203.

6. (Optional) Enter the IP address where the Web Start files will be available to the Management Client or Monitoring Client users in the Listen Only on Address field if the server has several addresses and only one is allowed for this access.• If you leave the Host Name and Listen Only on Address fields empty, the users

can access the Web Start files at any addresses that the Management Server or Monitoring Server may have.

7. (Optional) Select Access Logs if you want logs to be generated when the Web Start server is accessed.

8. Click OK.Test the Web Start installation by following the instructions in Accessing the Web Start Clients, on page 50.

Distributing Clients from a Separate ServerYou can use Web Start even if you do not want to use the Management Server and the Monitoring Server as Web Start servers. In this case, you can place the Web Start package on any Web server.The Web Start package can also be placed on a shared network drive. There is a limitation to this: the path to the network drive is included in the installation files, so the path, including the drive letter, must be the same for the administrators that wish to use that particular version of the installation package. If the network drive paths vary, consider placing the package on a Web server instead, for example, in the Intranet of your company.

Note – You must install a new Web Start package according to these instructions each time you upgrade the Management Center. Otherwise, any administrators that use Web Start-installed Management Clients are not able to log in.

To install the Web Start package1. Browse to StoneGate_SW_Installer→Webstart on the installation CD-ROM.

Caution – The Web Start installation creates an index.html file. Any existing index.html file will be overwritten. We strongly recommend creating a new directory for the Web Start files.

Distributing Clients from a Separate Server 49

2. Copy all files and all directories from the Webstart directory on the installation CD-ROM to the directory on the Web server or network drive where you want the Web Start files to be served.

3. On the command line, change to the directory on your server where the Web Start files are located.

4. Run the Web Start setup script and give the URL or the path of the directory on your server where the Web Start files are located as the parameter:• Windows: cscript webstart_setup.vbs <web start directory>• Linux: run webstart_setup.sh <web start directory>

Note – The setup script generates Web Start files for both the full Management Client and the Monitoring Client.

5. If necessary, modify the configuration of the Web server to return the appropriate MIME type for.jnlp-files (application/x-java-jnlp-file). Consult the manual of your Web server for instructions on how to configure the MIME type.

6. Delete the webstart_setup.vbs and webstart_setup.sh files from the directory. For security reasons, the webstart_setup.vbs and webstart_setup.sh script files should not be in the same directory as the generated Web Start files and other shared client files.

Test the Web Start installation by following the instructions in Accessing the Web Start Clients, on page 50.

Accessing the Web Start Cl ientsAfter the Web Start package is installed on a Web server or a network drive or the Management Server or Monitoring Server has been enabled as a Web Start Server, administrators can install the Management Client or Monitoring Client using the Web Start package if they have a current version of the Java Runtime Environment (JRE) installed on their computer (version required is shown on the example login page provided).

To access the Web Start Clients1. Enter the Web Start download page address in your Web browser

http://<server address>:<port>

TABLE 4.1 Examples

Installation on Example Web Start Directory

Web server http://www.example.com/webstart/

Network drive file://localhost/C:/support/webstart/


• :<port> is only needed if the server is configured to run on a different port from the HTTP standard port 80.

2. Click the link for the Web Start client.• Web Start automatically checks if the version on the server is already installed

on your local computer. If not, the new client is automatically installed on your computer. This is done each time the client is started this way, automatically upgrading your client installation whenever needed without any action from you.

• The client starts and displays the login dialog.3. Log in with the correct account credentials for the type of client.If NAT is applied to communications between any system components, proceed to Configuring NAT Addresses for StoneGate Components, on page 53.Otherwise, you are ready to define the Sensor and Analyzer element(s). Proceed to Defining Sensors and Analyzers, on page 53.

Accessing the Web Start Clients 51


CHAPTER 5 Defining Sensors and Analyzers

This chapter explains how to define the Sensor and Analyzer elements in the StoneGate Management Center using the Management Client.


Configuration Overview, on page 54 Installing Dynamic Updates, on page 54 About Analyzer and Sensor Elements, on page 54 Defining Analyzers, on page 55 Defining Sensor Clusters, on page 60 Defining Single Sensors, on page 65 Defining Combined Sensor-Analyzers, on page 70 Defining Sensor Interfaces, on page 74 Configuring Routing, on page 79 Configuring IP Addressing for NAT, on page 84. Saving the Initial Configuration, on page 91

53

Configuration OverviewAfter you have the StoneGate Management Center (SMC) installed and running, you must configure the Sensors and Analyzers, which is mostly done through the Management Client. This chapter explains all the tasks you must complete before you can install and/or configure the physical sensors and analyzers.The tasks you must complete are as follows:1. Install and activate the most recent dynamic updates.2. Define the Analyzer(s) or combined Sensor-Analyzer(s).3. Define any single or clustered Sensor(s).4. Configure the routing for the Sensors and Analyzers. 5. If the connections between the StoneGate components are subject to Network

Address Translation (NAT), configure Locations and Contact Addresses.6. Save the defined configuration for use during Sensor and Analyzer installation.

Instal l ing Dynamic UpdatesThe most recent dynamic update must be activated in the Management Client before defining the Sensor and Analyzer elements. The dynamic update packages provide the latest information for the IPS system to detect the most recent security threats and may revise also the IPS policy rules in the default template as well as the default elements you use to configure the system.During the installation, the update package included on the installation CD-ROM has been imported and activated. However, since update packages are released more frequently than new software versions, you should still check which update package is active in the system and whether a newer one is available to ensure your system is current. See Installing Dynamic Updates, on page 39 for information on installing and activating dynamic updates. When you have activated the latest dynamic update, proceed to About Analyzer and Sensor Elements.

About Analyzer and Sensor ElementsAfter activating the latest dynamic update, the next task is to create the elements for your IPS components. The elements are a tool for configuring nearly all aspects of your physical IPS components, for example, the IP addresses. The elements are stored on the Management Server and the relevant parts of the information are transferred to the physical sensor and analyzer devices when you install the IPS policy on a sensor.An important part of the elements are the interface definitions. StoneGate IPS elements have three kinds of interfaces:• Normal Interfaces (IP Addresses), which are used for communications that have the

Sensors or Analyzers themselves as the source or the final destination (such as the

54 Chapter 5: Defining Sensors and Analyzers

control connections from the Management Server). Multiple IP Addresses can be defined for the same physical network interface.

• Capture interfaces, which are used to pick up traffic from the network for inspection without routing the traffic through the cluster. Capture interfaces cannot be defined for the same Physical Interface as Normal Interfaces. In a Sensor Cluster, the Capture interface definitions are shared by all the cluster members.

• Inline interfaces, which are used to route traffic through the sensors for traffic inspection and to actively select connections that are not allowed to continue. Inline interfaces cannot be defined for the same Physical Interface as Normal Interfaces. Inline interfaces can be defined for Single Sensors and Inline Serial Sensor Clusters.

The interfaces have their own numbering in the Management Center called Interface ID, which is independent of the operating system interface numbering on an IPS engine. However, if you do the engine’s initial configuring using the automatic USB memory stick configuration method, the Interface IDs in Management Center are mapped to match the physical interface numbering in the operating system (eth0 is mapped to Interface ID 0 and so on). If you do the initial configuration manually, you can freely choose how the Interface IDs in the Management Center are mapped to the physical interfaces.Except for combined Sensor-Analyzer elements, the Analyzer element(s) must be created before creating Sensor elements. First, define an Analyzer as explained below or a combined Sensor-Analyzer as explained in Defining Combined Sensor-Analyzers, on page 70.

Defining AnalyzersThis section covers the basic configuration of an Analyzer element that should be sufficient at this point. For complete instructions on configuring Analyzer properties, see the Online Help of the Management Client or the StoneGate Administrator’s Guide.To configure a combined Sensor-Analyzer, see Defining Combined Sensor-Analyzers, on page 70.

To define an Analyzer element

Illustration 5.1 Opening the Configuration View



Illustration 5.2 Creating a New Analyzer Element

Illustration 5.3 Analyzer Properties

If you have secondary Log Servers, you add them in the properties of the primary Log Servers you select here (for all engines that send data to that primary Log Server).Continue by defining the network interfaces as explained in the next section.

Defining the Analyzer Network InterfacesDuring the interface configuration, you define the IP address and the role for each network interface in your analyzer:• Only one interface is mandatory, but at least two interfaces are recommended to

provide a primary and a backup channel for Management Server communications, which are necessary for controlling the analyzer.

Right-click IPS Configuration and select New→Analyzer from the menu that opens.

1. Type in a unique Name for the Analyzer element.2. If you have several Log Servers, select the one(s) where this Analyzer will send its logs and alerts.


• The volume of log traffic can easily grow large enough to delay other connections. You may want to have dedicated interface(s) for the log-related communications.

Begin by Defining Analyzer Physical Interfaces.

Defining Analyzer Physical Interfaces

To add a physical interface for an Analyzer

Illustration 5.4 Analyzer Properties

Illustration 5.5 Physical Interface Properties

The physical interface is added to the Interfaces list. Define all necessary physical interfaces in the same way. Continue by Defining Analyzer IP Addresses.

2. Right-click and select New Physical Interface. The Interface Properties dialog opens.

1. Switch to the Interfaces tab.

1. Select the Interface ID.

2. (Optional) Type in a Comment for your own reference.

3. Select the Type of interface to create.

4. Click OK.


Defining Analyzer IP Addresses

To define an IP Address for an Analyzer

Illustration 5.6 Adding an IP Address to an Analyzer

Illustration 5.7 Interface Properties

You can define several interfaces (IP addresses) for the same physical network interface. Before you continue, write down the networks to which each Interface ID is connected.Continue by Setting Analyzer Interface Options.

Right-click a physical interface and select New IP Address. The Interface Properties dialog opens.

1. Enter the IP Address.

2. Enter the Netmask.

3. Click OK.


Setting Analyzer Interface Options

To define the interface optionsClick Options. The Interface Options dialog opens.

Illustration 5.8 Network Interface Properties

We recommend separating the primary and backup control interfaces on two separate physical interfaces.When you close the Analyzer properties, you should see the notification shown in the illustration below.

Illustration 5.9 Confirmation

Proceed as follows:• If you want to define more Analyzers, define them in the same way before defining

any Sensors.• To define a Sensor Cluster, proceed as instructed in the next section.• To define a Single Sensor, proceed to Defining Single Sensors, on page 65.• To define a Combined Sensor-Analyzer, proceed to Defining Combined Sensor-

Analyzers, on page 70.

1. Select the Primary Control Interface that is used for Management Server communications. 2. (Optional) Select a Backup Control Interface.

3. Select the Log/Analyzer communication source IP address for communications with the Log Server.

Click No and proceed as explained below.(It is easiest to do routing later for all components at the same time.)


Defining Sensor ClustersThis section covers the basic configuration of a Sensor Cluster element. For complete instructions on configuring the Sensor cluster properties, see the Online Help of the Management Client or the StoneGate Administrator’s Guide.

To define a Sensor Cluster element


Illustration 5.11 Creating a New Sensor Cluster Element


Right-click IPS Configuration and select New→Sensor Cluster from the menu that opens.


Illustration 5.12 Sensor Cluster Properties


Defining the Sensor Cluster Network InterfacesIf you plan to use VLAN interfaces, it is preferred configure the VLAN interfaces before configuring the interface properties (as explained in Defining Sensor Cluster VLAN Interfaces, on page 63).Begin by Defining Sensor Cluster Physical Interfaces.

1. Type in a unique Name for the Sensor Cluster element.

2. Select the Analyzer for sending data on detected events.

3. Select the Log Server that will store traffic recordings made by this Sensor Cluster (created logs are sent through the selected Analyzer).


Defining Sensor Cluster Physical Interfaces

To add a Physical interface to a Sensor Cluster

Illustration 5.13 Sensor Cluster Properties






4. Click OK.

3. Select the Type of interface to create. Normal Interfaces are used for network connections to the Management Server and other StoneGate components. Capture Interfaces are used to listen to traffic that is not routed through the Sensor. See Defining Sensor Capture Interfaces, on page 75. Inline Interfaces are used if you want the traffic to flow through the Sensor nodes in an inline serial cluster. See Defining Sensor Inline Interfaces, on page 77.


Defining Sensor Cluster VLAN InterfacesAfter VLAN interfaces are created, you can use them like any other interfaces, except that you must not use them for the Primary Heartbeat connection, and you cannot use them for TCP connection termination.

To add a VLAN interface to a sensor cluster

Illustration 5.15 Adding a VLAN Interface

To configure the VLAN interface properties

Illustration 5.16 VLAN Interface Properties

The specified VLAN ID is added to the physical interface. The CVI mode and MAC address must be the same for all VLANs on the same physical interface, and you must not use VLAN interfaces for the Primary Heartbeat connection.

Note – The VLAN ID must be the same VLAN ID used in the switch at the other end of the VLAN trunk.

Repeat the steps above to add further VLANs to the interface (up to 4095).A VLAN interface is now ready to be used as a network interface. The VLAN interface is identified as Interface-ID.VLAN-ID, for example 2.100 for Interface ID 2 and VLAN ID 100.Next, configure the VLAN interfaces just like any other network interface.Proceed to Defining IP Addresses for Sensor Clusters, on page 64.


2. Right-click and select New→VLAN Interface. The Interface Properties dialog opens.

Enter the VLAN ID and click OK.


Defining IP Addresses for Sensor Clusters

To add an IP Address to a Sensor cluster

Illustration 5.17 Adding an IP Address

Illustration 5.18 IP Address Properties

You can define several interfaces (IP addresses) for the same physical network interface. Before you continue, write down the networks to which each Interface ID is connected.Continue by Defining Sensor Cluster Interface Options, on page 64.

Defining Sensor Cluster Interface Options

To define Sensor Cluster interface optionsClick Options. The Interface Options dialog opens.


2. Right-click a physical interface and select New IP Address. The IP Address Properties dialog opens.

1. Enter the IP Addresses for all nodes of the cluster.


3. Click OK.


Illustration 5.19 Sensor Cluster Interface Options

Note – Heartbeat and state synchronization (which take place on the same interface) are time-critical communications, and network latency from other traffic may interfere with the operation of the cluster. Heartbeat traffic can include details about traffic processed. Therefore, we recommend using separate and protected networks for this traffic. If protecting Heartbeat segments is not possible, state synchronization security can be changed from the default value signed to encrypted.

Continue the configuration by Defining Sensor Capture Interfaces, on page 75.

Defining Single SensorsThis section covers the basic configuration of the Single Sensor element. A single Sensor does not have the load balancing and high availability features of a Sensor cluster. For detailed instructions on configuring the single Sensor, please see the Online Help of the Management Client or the StoneGate Administrator’s Guide PDF.

To define a single Sensor


One Physical Interface per cluster must be the Primary interface for Management Server contact.If Primary is down, the Backup interface is used.

One Primary Hearbeat Interface must be defined for the cluster. It is used for communications between the nodes.You can select a second Physical Interface as the Backup (recommended).

Select the Log/Analyzer communication source IP address for communications with the Log Server.



Illustration 5.21 Creating a New Single Sensor Element

Illustration 5.22 Single Sensor Properties


Defining the Single Sensor InterfacesIf you plan to use VLAN interfaces, the VLAN interfaces must be configured before configuring the interface properties. Otherwise, proceed to Defining IP Addresses for Single Sensors, on page 68.

Right-click IPS Configuration and select New→Single Sensor from the menu that opens.

1. Type in a unique Name for the Sensor element.

2. Select the Analyzer for sending data on detected events.

3. Select the Log Server that will store traffic recordings made by this Sensor (created logs are sent through the selected Analyzer).


Defining Single Sensor Physical Interfaces

To add a Physical interface to a Single Sensor



Defining Single Sensor VLAN Interfaces

To add a VLAN interface to a Single Sensor

Illustration 5.25 Adding a VLAN Interface





3. Select the Type of interface to create.

4. Click OK.


2. Right-click and select New→VLAN Interface. The Interface Properties dialog opens.




The specified VLAN ID is added to the physical interface.


Repeat the steps above to add further VLANs to the interface (up to 4095).A VLAN interface is now ready to be used as a network interface. The VLAN interface is identified as Interface-ID.VLAN-ID, for example 2.100 for Interface ID 2 and VLAN ID 100.Next, configure the VLAN interfaces just like any other network interface.Proceed to Defining IP Addresses for Single Sensors, on page 68.

Defining IP Addresses for Single Sensors

To add an IP Address for a single sensor




2. Right-click and select New→IP Address. The IP Address Properties dialog opens.



You can define several interfaces (IP addresses) for the same physical network interface. Before you continue, write down the networks to which each Interface ID is connected.Continue by Defining Sensor Cluster Interface Options, on page 64.

Defining Single Sensor Interface Options

To define Single Sensor interface optionsClick Options. The Interface Options dialog opens.

Illustration 5.29 Interface Options

Proceed as follows:• Define the Capture Interfaces as explained in Defining Sensor Capture Interfaces, on

page 75.



3. Click OK.

If you want to use this interface for communications with the Log Server, select Log/Analyzer communication source IP address.

One Physical Interface per Sensor must be the Primary interface for Management Server contact. If Primary is down, the Backup interface is used.


• Define Inline Interfaces as explained in Defining Sensor Inline Interfaces, on page 77.

Defining Combined Sensor-AnalyzersA combined Sensor-Analyzer is a special case of StoneGate IPS installation for small network environments, where the Sensor and Analyzer are located on the same machine. This section covers the basic configuration of the element. For detailed instructions on configuring the single Sensor, please see the Online Help of the Management Client or the StoneGate Administrator’s Guide PDF.

To define a Sensor-Analyzer


Illustration 5.31 Creating a New Sensor-Analyzer Element


Right-click IPS Configuration and select New→Combined Sensor-Analyzer from the menu that opens.


Illustration 5.32 Combined Sensor-Analyzer Properties


Defining the Sensor-Analyzer InterfacesIf you plan to use VLAN interfaces, the VLAN interfaces should be configured before configuring the interface properties. Otherwise, proceed to Defining IP Addresses for Single Sensors, on page 68.

Defining Sensor-Analyzer VLAN InterfacesAfter VLAN interfaces are created, you can use them like any other interfaces, except that you cannot use them for TCP connection termination.

To define a Sensor-Analyzer VLAN Interface

Illustration 5.33 Adding a VLAN Interface to a Sensor-Analyzer

1. Type in a unique Name for the Sensor-Analyzer element.

3. Select the Log Server that will store traffic recordings made by the Sensor.

2. If you have several Log Servers, select the one(s) where this Analyzer will send its logs and alerts.


2. Right-click a physical interface and select New→VLAN Interface. The Interface Properties dialog opens.




The specified VLAN ID is added to the physical interface.


Repeat the steps above to add further VLANs to the interface (up to 4095).A VLAN interface is now ready to be used as a network interface. The VLAN interface is identified as Interface-ID.VLAN-ID, for example 2.100 for Interface ID 2 and VLAN ID 100.Next, configure the VLAN interfaces just like any other network interface.Proceed to Defining IP Addresses for a Sensor-Analyzer, on page 72.

Defining IP Addresses for a Sensor-Analyzer

To add an IP Address for a combined Sensor-Analyzer




2. Click New→IP Address. The IP Address Properties dialog opens.



You can define several interfaces (IP addresses) for the same physical network interface. Before you continue, write down the networks to which each Interface ID is connected.Continue by Setting Combined Sensor-Analyzer Interface Options, on page 73.

Setting Combined Sensor-Analyzer Interface Options

To set the Sensor-Analyzer Interface Options

Illustration 5.37 Interface Options

Proceed as follows:• Define the Capture Interfaces as explained in Defining Sensor Capture Interfaces, on

page 75.• Define Inline Interfaces as explained in Defining Sensor Inline Interfaces, on

page 77.



3. Click OK.

If you want to use this interface for communications with the Log Server, select Log/Analyzer communication source IP address.

One IP Address per Sensor must be the Primary interface for Management Server contact. If Primary is down, the Backup interface is used.


Defining Sensor Interfaces

Defining Logical InterfacesA Logical Interface is used in the IPS policies and the traffic inspection process to represent a network segment. A Logical interface can represent any number or combination of interfaces and VLAN interfaces, except that the same Logical interface cannot be used to represent both Capture interfaces and Inline interfaces on the same Sensor. The rules in the default IPS policy template match to all Logical Interfaces.Logical interfaces have one option, View interface as one LAN, which can be turned on or off. By selecting the option, you avoid the sensor seeing a single connection as multiple connections when a switch passes traffic between different VLANs and all traffic is mirrored to the sensor through a SPAN port.

To define a new logical interface

Illustration 5.38 Define Logical Interface

Click the New icon and from the menu that opens, select Logical Interface. The Logical Interface Properties dialog opens.

To define a new Logical Interface, click Configuration and select IPS Configuration.


Illustration 5.39 Logical Interface Properties

Defining Sensor Capture InterfacesCapture interfaces have two modes, SPAN or Wire TAP, which you must select according to the network connection. For more information, see Checking the Surrounding Network Environment, on page 18.Capture Interfaces (and Inline Interfaces) are associated with a Logical Interface, which is used in the IPS policies and the traffic inspection process to represent one or more Sensor interfaces. You can use the Default_Eth Logical Interface, or you can define your own Logical interfaces as explained in Defining Logical Interfaces, on page 74 to represent different network segments on the same Sensor, so that you can more easily create separate rules for them in the IPS policy.

Note – If you have both Capture interfaces and Inline interfaces on the same Sensor, you must use different Logical interfaces for the different interface types.

To add a Capture Interface for a Sensor

Illustration 5.40 Sensor Properties

1. Type a Name for the new Logical interface.

2. (Optional) If you have VLAN interfaces, you can select the View interface as one LAN option to make StoneGate treat the associated VLANs as a single LAN.

3. Click OK .





If you are using the Default_Eth Logical interface, click OK and repeat the procedures above to add more Capture interfaces.

Illustration 5.42 Select Logical Interface

You are returned to the Interface Properties dialog. Click OK. Define any additional interfaces in the same way.If you are done with Capture interfaces:• To define Inline interfaces, proceed to Defining Sensor Inline Interfaces, on page 77.• Otherwise, proceed as explained below.Before you continue, write down the networks to which each Interface ID is connected.


2. Select Capture Interface as the Type.

3. If you have defined TCP Reset Interface(s), you can associate one for use with traffic picked up through this Capture interface.

4. If your configuration requires you to change the Logical Interface from Default_Eth, click Select and continue to Illustration 5.42.

Select a Logical interface from the list and click the Select button to associate that Logical interface for the interface you are defining.


When you close the Sensor or Sensor-Analyzer properties, you should see the notification shown in the illustration below.


Defining Sensor Inline InterfacesInline interfaces can be defined for Single Sensors, Combined Sensor-Analyzers, and Sensor Clusters in an Inline Serial Cluster configuration. The number of inline interfaces you can have are limited by the license in use.One inline interface always comprises two physical interfaces, as the traffic is forwarded from one interface to the other. Allowed traffic passes through as if it was going through a network cable. Traffic you want to stop is dropped by the Sensor.Inline interfaces (like Capture interfaces) are associated with a Logical Interface, which is used in the IPS policies and the traffic inspection process to represent one or more Sensor interfaces. You can use the Default_Eth Logical Interface, or you can define your own Logical interfaces to represent different network segments on the same Sensor, so that you can more easily create separate rules for them in the IPS policy.

Note – If you have both Capture interfaces and Inline interfaces on the same Sensor, you must use different Logical interfaces for the different interface types.

To add an Inline Interface for a Sensor

Illustration 5.44 Sensor Properties

If you have defined all Sensor elements you need, click Yes and proceed to Configuring Routing, on page 79.

If you want to define more Sensors, click No and add the additional Sensors.





If you are using the Default_Eth Logical interface, click OK and repeat the procedures above to add more Inline interfaces.

Illustration 5.46 Select Logical Interface

You are returned to the Interface Properties dialog. Click OK. Define any additional interfaces in the same way.If you are done with Capture interfaces:• To define Inline interfaces, proceed to Defining Sensor Inline Interfaces, on page 77.• Otherwise, proceed as explained below.Before you continue, write down the networks to which each Interface ID is connected.

1. Select the Interface ID. The Second Interface ID is automatically assigned based on this Interface ID.2. Select Inline Interface as the Type.

3. If your configuration requires you to change the Logical Interface from Default_Eth, click Select and continue to Illustration 5.46.

Select a Logical interface from the list and click the Select button to associate that Logical interface for the interface you are defining.


When you close the Sensor or Sensor-Analyzer properties, you should see the notification shown in the illustration below.


Configuring RoutingWhen you modify interfaces and then close the Analyzer or Sensor properties, you always receive a notification that allows you to open the Routing view directly. You can view the Routing view at any other time by selecting Configuration→Routing from the menu.

Note – The Sensors and Analyzers do not function as gateways. They do not forward traffic from one network to another. Inline interfaces are always fixed as port pairs: traffic entering through one port is always forwarded to the other port.

To select the correct element

Illustration 5.48 Routing View

If you have defined all Sensor elements you need, click Yes and proceed to Configuring Routing, on page 79.

If you want to define more Sensors, click No and add the additional Sensors.

Select the appropriate element.


Illustration 5.49 Expanded Routing Tree

Networks corresponding to the IP addresses you have defined for the interfaces of your Analyzers and Sensors have been automatically added to the Routing Configuration. You can modify the routing in the following ways:• You can add the default route to take when no specific route is defined in the

routing view. • You can add networks that are not connected directly to the Analyzer or Sensor, and

which are reachable through some other interface instead of the default gateway.

Note – Networks are only added automatically. Networks and interfaces are never deleted automatically, but inappropriate elements are marked with a symbol to show that they are invalid.

For defining either type of route, you first have to add a Router element to represent the gateway device that will forward packets to the networks you add in the Routing Configuration. Proceed as explained in the sections below.

To add a router

Illustration 5.50 Adding a Router Element

Networks corresponding to the interface definitions have been automatically added under all interfaces.

Right-click the Network that is the correct route to some other network and select New→Router.


Illustration 5.51 Router Properties

After adding a Router, you can add the route(s) to it as explained in the next sections.

1. Type a name for the Router.2. Enter the IP address of the device that connects your internal networks.

3. Click OK.


To add the default route

Illustration 5.52 Adding The Any Network Element

Right-click the Router you just created and select New→Any Network.(Actually, you are not creating a new element, but just inserting the existing default element “Any Network”.)


To add other routes

Illustration 5.53 Adding Internal Network

Illustration 5.54 Network Element Properties

Add as many Networks as you need to the Router element.The routing configuration changes are transferred to the engine node with the other configuration information when you install the IPS policy on the Sensor.Proceed as follows:• If Network Address Translation (NAT) is used in your network, proceed to the next

section, Configuring IP Addressing for NAT.• Otherwise, proceed to Saving the Initial Configuration, on page 91.

Right-click the Router you just added and select New→Network. The Network Properties dialog opens.

1. Type in a Name for the Network.

2. Type in the IP Address and netmask.

3. (Optional) Select this option to include broadcast addresses in the Network.

4. Click OK.


Configuring IP Addressing for NATThe StoneGate components communicate with each other using the IP address defined for the corresponding element in StoneGate. If there is Network Address Translation (NAT) between any of the communicating components, then the NATed IP addresses must be defined (in the case of the Management Client, only if the Log Server address is NATed).

Note – A contact address is necessary only if there is a NAT device between the communicating StoneGate components.

Communications between the StoneGate IPS components are presented as a table in StoneGate IPS Ports, on page 155.If contact addresses are required, begin by defining Locations as explained below. If you are sure that Contact Addresses are not needed, proceed to Saving the Initial Configuration, on page 91.

Defining LocationsStoneGate components use the information you define in the Location elements to determine which IP address is used when there is NAT between the components. Elements that you do not put in any Location are members of a Default location, which is treated the same way as the other Locations.After you have the Location elements set up, you open the properties of each element as necessary, and define the Contact Addresses for the element from each Location’s viewpoint. All components in the other Locations then use the addresses defined for their Location. The Management Clients have a separate Location setting in the status bar at the bottom of the System Status and Configuration views, which is used if there is NAT between a Log Server and the Management Client.

To create a new Location

Illustration 5.55 Opening a Configuration view

Click the StoneGate Configuration icon in the toolbar. The Configuration view opens.


Illustration 5.56 Creating a New Location

Illustration 5.57 Location Properties

Repeat to add other Locations.Next, configure the Contact Addresses as necessary:• Engine Contact Addresses, on page 85• Server Contact Addresses, on page 89

Engine Contact AddressesYou must define the Location and Contact Address for the Sensor and Analyzer element if NAT is used between the Sensor or Analyzer engine and the Log Server or Management Server, or between the Sensor and Analyzer engines. Define the contact

2. Right-click Locations and select New Location from the menu that opens. The Location properties dialog opens.

1. Expand Administration in the tree view.

1. Type a Name.

2. Select element(s).

3. Click Add.

4. Repeat until all necessary elements are added.

5. Click OK.


addresses for the Primary and Backup Control interfaces to enable system communications.

To define a Location for a Sensor or Analyzer Element

Illustration 5.58 Opening Sensor or Analyzer Properties


2. Right-click the element and select Properties from the menu that opens. The Properties dialog for that element opens.

1. Switch back to the System Status view.

Select the correct Location.


To define a contact address for Single Sensor, Analyzer, or Sensor-Analyzer

Illustration 5.60 Single Sensor Properties - Interfaces

To define a contact address for a Sensor Cluster

Illustration 5.61 Editing Interface Properties of Sensor Clusters

Primary Control Interface is marked with “C” (uppercase).Secondary Control Interfaces are marked with “c” (lowercase).

Double-click the Control Interface and proceed to Illustration 5.62.


3. Double-click the Control Interface and proceed to Illustration 5.62.

Primary Control Interface is marked with “C” (uppercase).Secondary Control Interface is marked with “c” (lowercase).

2. Select a node.


To add a contact address

Illustration 5.62 Network Interface Properties

Illustration 5.63 Contact Addresses

Note – Elements that belong to the same Location element always use the primary IP address (defined in the main Properties window of the element) when contacting each other. All elements not specifically put in a certain Location are treated as if they belonged to the same Location, the Default Location.

Click OK to close the interface properties dialog. Add the contact addresses for all Control Interfaces as above.

Double-click the Contact Address cell. The Contact Addresses dialog opens.

3. (Optional) Define an address for the Default Location in the same way (see note below).

1. Select a Location and click Add to create an entry in the table below.

2. Click the Contact Address cell and enter the IP address, which the components that belong to this Location must use.

4. Click OK.


Proceed as follows:• Proceed to the next section to define contact addresses for the Management

Server, Log Server(s), and Monitoring Server(s).• Otherwise, proceed to Saving the Initial Configuration, on page 91.

Server Contact AddressesYou can enter one or more contact addresses for each Location on Management and Log Servers to support High Availability setups and allow efficient use of Multi-Link for remote components. Monitoring Servers can only have one contact address for each Location.

Note – To access Log Servers in some NAT environments, you need to select the correct Location also for your Management Client in the status bar at the bottom of the Management Client’s System Status view or Configuration view.

To define the Management, Log, and Monitoring Server contact addresses

Illustration 5.64 Opening Server Properties

Right-click a server and select Properties from the menu that opens. The Properties dialog for that server opens.


Illustration 5.65 Server Properties

Illustration 5.66 Contact Addresses

Note – Elements that belong to the same Location element always use the primary IP address (defined in the main Properties window of the element) when contacting each other. All elements not specifically put in a certain Location are treated as if they belonged to the same, Default Location.

Click OK to close the server properties and define the contact addresses for other servers as necessary in the same way.

Click Contact Address. The Contact Addresses dialog opens.

3. (Optional) Define an address for the Default Location in the same way (see note below).

1. Select a Location and click Add to create an entry in the table below.

2. Click the Contact Addresses cell(s) and enter the IP address(es), which the components that belong to this Location must use. You can enter multiple addresses, separated by commas, for Management and Log Servers.

4. Click OK.


• If NAT is performed between your Management Client and a Log Server, proceed to the next section, Management Client Location Setting.

• Otherwise, proceed to Saving the Initial Configuration, on page 91.

Management Client Location SettingWhen NAT is performed between the Management Client and a Log Server, you must select the correct Location also for your Management Client in the status bar at the bottom of the Management Client System Status or Configuration view. Each administrator must set the correct Location individually for their installation.

To select the Management Client Location

Illustration 5.67 Configuration View - Bottom Right Corner

Proceed to the next section.

Saving the Init ial ConfigurationAfter defining the firewall properties, save the initial configuration for all Sensors, Analyzers, and Sensor-Analyzers. The initial configuration sets some basic parameters for the engines and triggers the creation of one-time passwords used for initializing each engine’s connection with the Management Server.There are three ways to initialize your IPS engines and establish contact between them and the Management Server:• You can write down the one-time password and enter all information manually in the

command-line Configuration Wizard on the engines.• You can save the configuration on a floppy disk or a USB memory stick to import

some of the information in the command-line Configuration Wizard on the engines.• You can save the initial configuration on a USB memory stick and use the memory

stick to automatically configure the engine without using the Configuration Wizard.

Note – The automatic configuration is primarily intended to be used with StoneGate appliances, and may not work in all other environments.

Click the Default Location name in the status bar at the bottom of the window and select the correct Location from the list that opens.


To save the initial configuration

Illustration 5.68 Saving the Initial Configuration

Depending on the method you want to use, follow the instructions in Illustration 5.69 (Configuration Wizard) or Illustration 5.70 (fully automatic).

1. Right-click an element.

2. Select Configuration→Save Initial Configuration. The Initial Configuration dialog opens.


To prepare for configuration using the Configuration Wizard

Illustration 5.69 Initial Configuration Dialog

1. (Optional) If you plan to enter the information manually, write down or copy-paste the Management Server fingerprint for additional security.

2. If you plan to enter the information manually, write down or copy-paste the One-Time Password for each engine. Keep track on which password belongs to which engine node.

3. If you plan to import the configuration while you are in the Configuration Wizard, click Save As and save the configuration on a USB memory stick.


To prepare for fully automatic configuration

Illustration 5.70 Initial Configuration Dialog

Once the engines are fully configured, the SSH daemon can be set on and off using the Management Client. Enabling SSH in the initial configuration gives you remote command line access in case the configuration is imported correctly, but the engine fails to establish contact with the Management Server.The time zone selection is used only for converting the UTC time that the engines use internally for display on the command line. All internal operations use UTC time, which is synchronized with the Management Server time once the engine is configured.If you lose the one-time password or the saved configuration, you can repeat the procedure for the effected IPS engines.

Caution – Handle the configuration files securely. They include the one-time password that allows establishing trust with your Management Server.

You are now ready to install the IPS engine(s):• If you are installing StoneGate as a software product on your server, proceed to

Installing Sensors and Analyzers, on page 97.• If you have a StoneGate hardware appliance, see installation and initial

configuration instructions in the Appliance Installation Guide that was delivered with the appliance. After this, you can return to this guide to set up basic policies (see Installing Policies, on page 111) or see the more detailed instructions in the Online Help of the Management Client (or the Administrator’s Guide PDF).

4. Click Save As and save the configuration to the root directory of a USB memory stick, so that the system can boot from it.

3. Set the engine time zone and keyboard layout.

1. Disable the backward-compatible configuration file generation.

2. (Optional) Enable the SSH daemon to allow remote access to the engine command line.


Installing Sensors and Analyzers

CHAPTER 6 Installing Sensors and Analyzers

This chapter describes how to install StoneGate IPS Sensors and Analyzers on any standard Intel or Intel-compatible platform such as AMD.


Installing the Sensor or Analyzer Engine, on page 98 Configuring the Engine, on page 99 Installing in Expert Mode, on page 106

97

Instal l ing the Sensor or Analyzer Engine

Caution – Check that the Automatic Power Management (APM) and Advanced Configuration and Power Interface (ACPI) settings are disabled in BIOS. Otherwise, the engine may not start after installation or may shut down unexpectedly.

Note – The engines must be dedicated to StoneGate IPS. No other software can be installed on them.

Before you proceed to installing the engines, make sure you have completed the following steps (as instructed in the previous chapters):• Installing the Management Center• Creating the initial configuration (one-time password for Management Contact) for

each IPS engine.The installation steps for Sensor, Analyzer, and combined Sensor-Analyzer are similar, as the engine type is only selected at the end of the installation. What you see on your screen may have a different appearance from the illustrations in this guide depending on your system configuration.StoneGate appliances are delivered with pre-installed software. Configure the software as instructed in the Appliance Installation Guide delivered with the appliance.

Checking the File IntegrityBefore installing StoneGate IPS, check the installation package integrity using the MD5 or SHA-1 file checksums as explained in Checking File Integrity, on page 16.

Starting the InstallationThe installation is started by booting the engine machine from the installation CD-ROM as explained below.

Caution – Installing StoneGate deletes all existing data on the hard disk.

To install StoneGate IPS engine from a CD-ROM1. Insert the StoneGate IPS installation CD-ROM into the drive and reboot the

machine from the CD-ROM.2. After going through the License Agreement, type YES and press ENTER to accept

the license agreement and continue with the configuration.

98 Chapter 6: Installing Sensors and Analyzers

Illustration 6.1 Selecting the Install Mode

3. Select the type of installation• Type 1 for the normal Full Install.• If you want to partition the hard disk manually, type 2 for the Full Install in

expert mode and continue in Installing in Expert Mode, on page 106.4. Indicate the number of processors:

• For a uniprocessor machine, type 1 and press ENTER.• For a multiprocessor machine, type 2 and press ENTER.

5. To accept automatic hard disk partitioning, type YES.6. The automatic installation process starts.

• If you want to use the automatic configuration method, do not reboot once the installation finishes, but continue in Configuring the Engine Automatically with a USB Stick below.

• Otherwise, remove the CD-ROM and press ENTER to reboot when prompted to do so. Continue in Starting the Engine Configuration Wizard, on page 100

Configuring the EngineDuring the initial configuration, the operating system settings, network interfaces, and the Management Server connection are defined.

Configuring the Engine Automatically with a USB StickThe automatic configuration is primarily intended for StoneGate appliances, and may not work in all environments when you use your own hardware. If the automatic configuration does not work, you can still run the Configuration Wizard as explained in the next section and import or enter the information manually.When automatic configuration is used, Interface IDs numbers are mapped to physical interfaces by matching the numbers: Interface ID 0 is mapped to eth0, Interface ID 1 is mapped to eth1, and so on.

Note – The imported configuration does not contain a password for the root account, so you must set the password manually in the Management Client before you can log in for command line access to the engine. See the Online Help of the Management Client or the StoneGate Administrator’s Guide for more information.


To install and configure the engine with a USB stick1. Insert the USB stick.2. Remove the CD-ROM and press ENTER at the installation finished prompt.

StoneGate reboots, imports the configuration from the USB stick, and makes the initial contact to the Management Server.• If the automatic configuration fails, and you do not have a display connected,

you can check for the reason in the log (sg_autoconfig.log) written on the USB stick.

• If you see a “connection refused” error message, ensure that the Management Server IP address is reachable from the node.

The configuration is complete when the appliance successfully contacts the Management Server and reboots itself. Continue the configuration in After Successful Management Server Contact, on page 106, where you can also find an explanation on how successful management contact is indicated in the Management Client.

Starting the Engine Configuration WizardIf there is no USB memory stick with an engine configuration inserted when the machine is rebooted after the installation, the StoneGate Configuration Wizard starts. The wizard can always be run again by issuing the sg-reconfigure command on the engine command line.If you have stored the configuration on a floppy disk or a USB memory stick (see Saving the Initial Configuration, on page 91), you can import it now to reduce the need for typing in information.

To select the configuration method

Illustration 6.2 Welcome

To import a saved configuration, highlight Import using the arrow keys and press ENTER.

To skip the import, highlight Next and press ENTER. Proceed to Configuring the Operating System Settings, on page 101.


To select the import source

Illustration 6.3 Import Configuration

To import the configuration1. Select the correct configuration file. Remember that these are specific to each

individual firewall engine node.2. Highlight Next and press ENTER to continue.Continue the configuration as explained in the next section.

Configuring the Operating System Settings

To set the keyboard layout

Illustration 6.4 Configure OS Settings

Illustration 6.5 Select Keyboard Layout

If the desired keyboard layout is not available, use the best-matching available layout, or select US_English.

Select Floppy Disk or USB Memory and press ENTER

Highlight the entry field for Keyboard Layout using the arrow keys and press ENTER. The Select Keyboard Layout dialog opens.

Highlight the correct layout and press ENTER.

Tip: Type in the first letter to move forward more quickly.


To set the engine’s timezone


The timezone setting only affects the way the time is displayed on the engine command line. The actual operation always uses UTC time. The appliance’s clock is automatically synchronized with the Management Server clock.

To set the rest of the OS settings


Configuring the Network InterfacesThe configuration utility can automatically detect which network cards are in use. You can also add interfaces manually if necessary.

To add the network interfaces

Illustration 6.8 Configure Network Interfaces

1. Highlight the entry field for Local Timezone using the arrow keys and press ENTER.2. Select the correct timezone in the dialog that opens.

1. Type in the name of the engine.

2. Type in the password for the user root. This is the only account for engine command line access.

3. Highlight Enable SSH Daemon and press the spacebar on your keyboard to select the option and allow remote access to engine command line using SSH.

4. Highlight Next and press ENTER. The Configure Network Interfaces window is displayed.

Highlight Autodetect and press ENTER.


Check that the autodetected drivers are correct and that all interfaces have been detected. If there are problems, add the network interfaces manually as explained in the section To define the network interface drivers manually, on page 103 (you can overwrite any autodetected setting).

To map the physical interfaces to Interface IDs

Illustration 6.9 Assigning Network Interfaces

Note – The Management interface must be the same interface that is configured as the Management Interface for the corresponding engine element in the Management Center.

The Sniff option can be used for troubleshooting the network interfaces. Select Sniff on an interface to run network sniffer on that interface. Press ENTER to exit the sniffer.Highlight Next and press ENTER to continue. Proceed to Contacting the Management Server, on page 104.

To define the network interface drivers manually

Illustration 6.10 Configure Network Interfaces

1. Type in the Interface IDs to map physical interfaces to the Interface IDs you defined in the engine element.

3. Highlight the Mgmt column and press the spacebar on your keyboard to select the correct interface for contact with the Management Server.

2. Highlight and press ENTER to match the speed/duplex settings to those used in each network.

Highlight Add and press ENTER.


Illustration 6.11 Add Device Driver

Contacting the Management ServerThe Prepare for Management Contact window opens. If the initial configuration was imported, most of this information is filled in.

Note – If there is a firewall between this IPS engine and the Management Server or Log Server, make sure that the firewall’s policy allows the initial contact and the subsequent communications. See StoneGate IPS Ports, on page 155 for a listing of the ports and protocols used.

This task has three parts. First, you activate an initial configuration on the engine. The initial configuration contains the information that the engine needs to connect to the Management Server for the first time. The initial configuration is replaced with a working configuration when you install an IPS Policy on this engine using the Management Client.

To activate the Initial Configuration

Illustration 6.12 Prepare for Management Contact - Upper Part

The initial configuration does not contain any working IPS policy. You must install an IPS policy on the engine to make it operational.

Select a driver that is used for your network card(s) and press ENTER.Repeat as necessary, then map the interfaces to Interface IDs as explained above.

1. Highlight Switch Node to Initial Configuration and press spacebar to activate.

2. Fill in according to your environment. The information must match to what you defined for the engine element (Primary Control IP Address). If the engine and the Management Server are on the same network, you can leave the Gateway to management field empty.


In the second part of the configuration, you define the information needed for establishing a trust relationship between the engine and the Management Server.

To fill in the Management Server informationIn the second part of the configuration, you define the information needed for establishing a trust relationship between the engine and the Management Server.If you do not have a one-time password for this engine, see the Installation Guide for instructions on how to save an initial configuration.

Illustration 6.13 Prepare for Management Contact - Middle Part

Note – Once initial contact has been made, the engine receives a certificate from the Management Center for identification. If the certificate is later on deleted or expires, you must repeat the initial contact using a new one-time password.

In the third part of the configuration, you select whether you want this engine to work as a Sensor, an Analyzer, or a combined Sensor-Analyzer. The selection you make must correspond to the element you created for this engine in the Management Client.

Illustration 6.14 Prepare for Management Contact - Lower Part

The engine now tries to make initial Management Server contact.• If you see a “connection refused” error message, ensure that the one-time

password is correct and the Management Server IP address is reachable from the node. Save a new initial configuration if unsure about the password.

2. Fill in the Management Server IP address and the one-time password that was created for this engine when you saved the initial configuration.

3. (Optional) Fill in the Key fingerprint (also shown when you saved the initial configuration). This increases the security of the communications.

1. Highlight Contact Management Server and press spacebar to select.

1. Select the type of engine using the arrow keys and the spacebar.

2. Highlight Finish and press ENTER.


After Successful Management Server ContactAfter you see a notification that Management Server contact has succeeded, the IPS engine installation is complete and the engine is ready to receive a policy. In a while, the engine element’s status changes in the Management Client from Unknown to No Policy Installed, and the connection state is Connected indicating that the Management Server can connect to the node.After installing all Sensor and Analyzer engines, proceed to Installing Policies, on page 111.

Instal l ing in Expert ModeTo start the installation, reboot from the CD-ROM (see Installing the Sensor or Analyzer Engine, on page 98).The difference between the normal and expert installation is that in expert mode, you partition the hard disk manually. If you are unfamiliar with partitioning hard disks in Linux, we recommend that you use the normal installation process.To continue with the expert mode installation, continue in Partitioning the Hard Disk Manually, on page 106.

Partitioning the Hard Disk ManuallyTypically, you need five partitions for the StoneGate IPS Sensor or Analyzer as explained in Table 6.1.

The partitions are allocated in two phases. First, disk partitions are created and second, the partitions are allocated for their use purposes.

TABLE 6.1 StoneGate IPS Partitions

Partition Recommended size Description

Engine root A 200 MBThe bootable root partition for the StoneGate IPS engine.

Engine root B 200 MBAlternative root partition for the StoneGate IPS engine. Used for the engine upgrade.

SwapTwice the physical memory

Swap partition for the StoneGate IPS engine.

Data 500 MB or moreUsed for the boot configuration files and the root user’s home directory.

SpoolRest of free disk space

Used for spooling


Caution – Partitioning deletes all the existing data on the hard disk.

To partition the hard disk1. If you are asked whether you want to create an empty partition table, type y to

continue.2. When prompted, press ENTER to continue. The partition table is displayed.

Illustration 6.15 Defining the Partition Table

3. Create the partitions for the engine as follows:3.1 For engine root A: 200 MB, bootable, Primary, Linux partition3.2 For engine root B: 200 MB, Primary, Linux partition3.3 For swap: twice the size of physical memory, Logical, Linux swap partition.

• To change the partition type to Linux swap, select Type and enter 82 as the file system type.

3.4 For data: 500 MB or more, Logical, Linux partition3.5 For spool: allocate rest of the free disk space, Logical, Linux partition.

4. Check that the partition table information is correct.5. Select Write to commit the changes and confirm by typing yes.6. Select Quit and press ENTER.

Allocating PartitionsAfter partitioning the hard disk, the partitions are allocated for the StoneGate IPS engine.


To allocate the partitions

Illustration 6.16 Checking the Partition Table

1. Check that the partition table is correct. Type YES to continue.

Illustration 6.17 Allocating Partitions

2. Using the partition numbers of the partition table (see Illustration 6.16), assign the partitions for the engine, for example:

2.1 For the engine root A partition, type 1.2.2 For the engine root B partition, type 2.2.3 For the swap partition, type 5.2.4 For the data partition, type 6.2.5 For the spool partition, type 7.

Illustration 6.18 Accepting the Partition Allocation

3. Check the partition allocation and type YES to continue.


Illustration 6.19 Installation Finished

4. The StoneGate IPS engine installation process is started. When installation is complete, remove the CD-ROM from the machine and press ENTER to reboot.

5. Continue the configuration as described in Configuring the Engine, on page 99.



CHAPTER 7 Installing Policies

This chapter describes policy installation on StoneGate IPS Sensors and Analyzers.


Installing the System Policy, on page 112

111

Instal l ing the System PolicyStarting with the predefined IPS policy provides you an easy way to begin using the IPS system. You can then fine-tune the system as needed. The System Policy and the elements used in it are updated when you import new dynamic updates (see Installing Dynamic Updates, on page 54). Therefore, the System Policy and the IPS System Template are locked from editing.When you install a policy on a sensor, the analyzer that the sensor uses also receives a new policy. Therefore, you do not install the policy separately on analyzers.

To view IPS policies

Illustration 7.1 Viewing IPS Policies

To install the System Policy

Illustration 7.2 Launching Policy Installation

1. Click the Security Policies icon in the toolbar.

2. Select the IPS Policy shortcut from the menu that opens. The IPS policies are shown.

1. Right-click System Policy.

2. Select Install Policy from the menu that opens.

112 Chapter 7: Installing Policies

The Policy Install task dialog opens.

Illustration 7.3 Policy Install Task

The policy installation progress is displayed.

Illustration 7.4 Sensor Policy Installation Status

At policy installation the policy to be installed is validated for errors and inconsistencies. Below the policy installation progress window, there is a list of Issues

1. Select the correct Sensor(s) and Sensor-Analyzer(s).

2. Click Add. The selected engines are added to the policy installation task.

3. Leave the Validate Before Upload selected, if you want to validate the policy before installation.

4. Click OK.


that have come up during the validation. Make sure that the policy installation is successful for both the sensor and the analyzer. Install the system policies on all Sensors, then switch back to a Monitoring view. You are now ready to command the Sensors online so that they start processing traffic.

To command a Sensor online

Illustration 7.5 Commanding a Sensor Online

Command all Sensors in the system online in the same way. Analyzers do not have a corresponding command: they always process the event information that any online sensors send them.You can inspect the generated logs and alerts by selecting Monitoring→Logs.This concludes the configuration instructions in this Installation Guide. To continue setting up your system, consult the Online Help (or the Administrator’s Guide PDF), particularly the Introduction to StoneGate in the Getting Started section.You can access the Online Help by pressing the F1 key, by selecting Help→Help Topics in the main menu or by clicking the Help button in a dialog. Depending on which window is currently active, you see either a help topic that is related to the current window or the front page of the help system.

1. Right-click a Sensor.

2. Select Commands→Go Online from the menu that opens.


Illustration 7.6 Online Help

See instructions for setting up and customizing the IPS system.



Maintenance

CHAPTER 8 Upgrading And Updating

When there is a new version of the StoneGate Management Center or the Sensor and Analyzer engine software, you should upgrade as soon as possible. You can download the new version and generate licenses for it (if needed) at the Stonesoft website as explained below.Additionally, StoneGate IPS is frequently updated to detect new attacks and vulnerabilities with new dynamic update packages that you can import and activate. On occasion, you may need to upgrade first before you can use a certain dynamic update package.


Getting Started with Upgrading StoneGate, on page 120 Upgrading or Generating Licenses, on page 122 Upgrading the Management Center, on page 126 Upgrading Engines Remotely, on page 128 Upgrading Engines Locally, on page 131 Changing IP Addressing, on page 133

119

Getting Started with Upgrading StoneGateYou can upgrade Management Center components as well as the Sensors and Analyzers without uninstalling the previous version. The Sensors and Analyzers may be upgraded locally or remotely.You can configure that the Management Server automatically checks for new updates and engine upgrades and informs you of them. See the Online Help for more information.During a Sensor cluster upgrade, it is possible to have the upgraded nodes online and operational side by side with the older version nodes. This way, you can also change the hardware of the nodes one by one while the other nodes handle the traffic. It is important to upgrade the Management Center components before upgrading the engines, because the old Management Center version may not be able to recognize the new version engines and generate a valid configuration for them. Older version engines can be controlled through a newer Management Center (see the Release Notes for possible restrictions).

Caution – All the Management Center components (Management Server, Management Client, Log Server, and the optional Monitoring Server and Monitoring Client) must use the same StoneGate version.

When you upgrade components, you may also want to change their IP addressing. See Changing IP Addressing, on page 133 for more information. For more detailed instructions, see the Online Help.Proceed to the Configuration Overview to begin with the configuration.

Configuration OverviewThe upgrade procedure is the same for StoneGate Firewall/VPN and IPS systems:1. Check the latest known issues list at the Stonesoft website for the version you

are about to install at http://www.stonesoft.com/en/support/technical_support_and_documents/.

2. Obtain the installation files at https://my.stonesoft.com/download/ and check the installation file integrity (see Checking File Integrity, on page 121).

3. Burn the .iso image file you downloaded onto a CD-ROM using your CD-burning software (this CD-ROM is later referred to as the StoneGate installation CD-ROM).

4. Read the release notes for the new version you are about to install. They can be found in the directory where you saved the installation files, or at the Stonesoft website at http://www.stonesoft.com/en/technical_support_and_documents/.

5. (If automatic updates have not been configured for licenses) Update the licenses (see Upgrading or Generating Licenses, on page 122). See the Online Help for information on configuring automatic updates for licenses.

120 Chapter 8: Upgrading And Updating

http://www.stonesoft.com/en/support/technical_support_and_documents/


https://my.stonesoft.com/download/


6. Upgrade the Management Server, the Log Servers, and the Monitoring Servers (if any) (see Upgrading the Management Center, on page 126). The operation of StoneGate Sensors and Analyzers is not interrupted even if the Management Center is offline.

7. Upgrade the Management Clients and the Monitoring Clients (if any) (see Distributing StoneGate Clients Through Web Start, on page 47).

8. Upgrade the Sensor and Analyzer engines one by one. Confirm that the upgraded engine operates normally before upgrading the next engine (see Upgrading Engines Remotely, on page 128 or Upgrading Engines Locally, on page 131).

StoneGate operates normally during the upgrade process, even if there are two versions of the different system components running at the same time. For full functionality, all the system components should be upgraded to the same version as soon as possible.When you have downloaded the necessary installation files, proceed to Checking File Integrity.

Checking File IntegrityBefore installing StoneGate, check the installation file integrity using the MD5 or SHA-1 file checksums. The checksums are on the StoneGate installation CD-ROM and on the product-specific download pages at the Stonesoft website at http://www.stonesoft.com/download/. For more information on MD5 and SHA-1, see RFC1321 and RFC3174, respectively. The RFCs can be obtained from http://www.rfc-editor.org/.Windows does not have MD5 or SHA-1 checksum programs by default, but there are several third-party programs available.

To check MD5 or SHA-1 file checksum1. Obtain the checksum files from the Stonesoft website at http://

www.stonesoft.com/download/.2. Change to the directory that contains the file(s) to be checked.3. Generate a checksum of the file using the command md5sum filename or

sha1sum filename, where filename is the name of the installation file.

Illustration 8.1 Checking the File Checksums

4. Compare the displayed output to the checksum on the website.

Caution – Do not use files that have invalid checksums.

$ md5sum sg_engine_1.0.0.1000.iso869aecd7dc39321aa2e0cfaf7fafdb8f sg_engine_1.0.0.1000.iso

Getting Started with Upgrading StoneGate 121



http://www.rfc-editor.org/

http://www.rfc-editor.org/



After checking the file integrity, burn the ISO file on a CD-ROM using appropriate software and read the release-specific information at the Stonesoft website.Create the installation CD-ROM, then proceed to Upgrading or Generating Licenses. If you are absolutely sure you do not need to upgrade your licenses, proceed to Upgrading the Management Center, on page 126.

Upgrading or Generating LicensesWhen you installed StoneGate for the first time, you installed licenses that work with all versions of StoneGate up to that particular version. If the first two numbers in the old and the new version are the same, the upgrade can be done without upgrading licenses (for example, when upgrading from 1.2.3 to 1.2.4). When either of the first two numbers in the old version and the new version are different, you must first upgrade your licenses (for example, when upgrading from 1.2.3 to 1.3.0). You can either upgrade the licenses at the Stonesoft website or configure in the Management Client that the licenses are automatically regenerated and installed. See the Online Help for information on upgrading the licenses automatically.If you are simultaneously installing new StoneGate components that you have not previously licensed, or if you want to change the IP address for an IP-address-bound license, you must also generate new licenses.If you do not need to upgrade licenses or create new ones, proceed to Upgrading the Management Center, on page 126.If you need new licenses:• Proceed to Upgrading Licenses Under Multiple Proof Codes, on page 124 to upgrade

several licenses at once.• Proceed to Upgrading Licenses Under One Proof Code, on page 123 to upgrade the

licenses one by one.• Proceed to Generating a New License to generate a completely new license.

Generating a New LicenseYou generate the licenses at the Stonesoft website based on your proof-of-license (POL, for software, included in the order confirmation message sent by Stonesoft) or proof-of-serial number (POS, for appliances, printed on a label attached to the appliance hardware). Evaluation licenses are also available at the website.Generated licenses are always for the newest software version you are entitled to, but you can use them with older versions as well.If you are licensing several components of the same type, remember to generate one license for each (it may be more convenient to use the multi-upgrade feature, see Upgrading Licenses Under Multiple Proof Codes, on page 124).There are two types of licenses that you can generate:• IP-address-bound licenses: For all Management Center components and optionally

engines with non-dynamic control IP addresses. If you want to change the IP


address the license is bound to, you need to fill in a request at the licensing website.

• Management-bound licenses: For firewall and IPS engines (bound to the proof-of- license of the Management Server). These licenses can be switched from one engine to another if you delete the previous element it was bound to or re-license it and refresh its policy.

Note – Management-bound licenses can only be imported to Management Server version 3.0 or newer. If necessary, upgrade your Management Server before importing the engine licenses.

To generate a new license1. Take your Web browser to www.stonesoft.com/license/.2. Enter the required code (proof-of-license or proof-of-serial number) to the correct

field and click Submit. The license page opens.3. Click Register. The license generation page opens.4. Read the directions on the page and fill in (at least) the required fields.5. Enter the IP addresses of the Management Center components you want to

license (if any). The license is bound to the IP address you give, and you will have to return to the licensing page if you need to change the IP address.

6. Enter the Management Server’s proof-of-license code (or the engine’s IP address) for the engines you want to license (if any).

7. Click Submit Request. The license file is sent to you in a moment, and also becomes downloadable in the License Center.

Note – Evaluation license orders or requests for an IP address change of an existing license may need manual processing. See the license page for current delivery times and details.

Proceed to Installing Licenses, on page 125.

Upgrading Licenses Under One Proof CodeA license file generated under one POL or POS code contains the license information for one or more components. You can also always use the multi-upgrade form to upgrade the licenses (see Upgrading Licenses Under Multiple Proof Codes, on page 124).

To generate a new license1. Take your Web browser to www.stonesoft.com/license/.2. Enter the required code (proof-of-license or proof-of-serial number) to the correct

field and click Submit. The license page opens.3. Click Update. The license upgrade page opens.4. Follow the directions on the page that opens to upgrade the license.


http://www.stonesoft.com/license/

http://www.stonesoft.com/license/

Repeat for other licenses. When done, proceed to Installing Licenses, on page 125.

Upgrading Licenses Under Multiple Proof CodesIf you have several existing licenses with different POL or POS codes that you need to upgrade, you can make the work easier by generating the new licenses all at once.• With any version of the Management Center, you can generate the new licenses by

selecting StoneGate Multi-Upgrade on the licensing website and copy-pasting the POL or POS codes (from the Management Client, e-mail, or elsewhere) directly in the field reserved for this on the Upgrade Multiple StoneGate Licenses page. Proceed to Installing Licenses, on page 125 after doing this.

• With Management Center version 3.2 or newer, you can generate a text file by exporting information on licenses from the Management Client and import the text file to the licensing website as explained below.

To upgrade multiple licenses1. Click the Configuration button.2. Expand the Administration tree and navigate to the type of Licenses you want to

upgrade, or to All Licenses.3. Ctrl-select or Shift-select the licenses you want to upgrade.

Illustration 8.2 Exporting License Information

4. Right-click one of the selected items and select Export License Info from the contextual menu that opens. A file save dialog opens.

5. Select a location and type in a name for the file. The default file ending is .req, but you may change this to something else if required.

6. Click Save. The license information is exported to the file you specified and a message pops up.

7. (Optional) Click Yes in the message to launch the Stonesoft License Center website’s multi-upgrade form in the default Web browser of your system.

8. Upload the license file to the Stonesoft License Center website using the multi-upgrade form, and submit the form with the required details. The upgraded licenses are sent to you.

Select one or more licenses for elements of any type.

Right-click to export.


You can view and download your current licenses at the license website (log in by entering the proof-of-license or proof-of-serial number code at the License Center main page).After receiving the new licenses, proceed to Installing Licenses.

Installing LicensesAfter you have generated a license file (Generating a New License, on page 122), you import the license file into the Management Center.

To install StoneGate licenses1. Click the Configuration button.2. Expand the Administration tree and navigate to Licenses.3. If the IPS engine(s) you want to re-license have a management bound license,

unbind the previous license by right-clicking the license or the engine and selecting Unbind from the menu that opens.

4. Import the licenses from a .jar license file by selecting File→System Tools→Install Licenses from the menu.

5. Select a license file and click Install. The licenses are imported and activated.

Illustration 8.3 Binding a Dynamic License

6. You need to bind each license to a specific engine if your engine licenses are management bound (i.e., tied to the Management Server’s proof-of-license).

6.1 Right-click the license and select Bind. The Select License Binding dialog opens.

6.2 Select the correct engine from the list and click Select to bind the license to this element. The license is now bound to the selected element.

6.3 If you made a mistake, unbind the license by right-clicking it and selecting Unbind.

Caution – When you upload a policy on the engine, the license is permanently bound to that engine. Such licenses cannot be re-bound to some other engine without re-licensing or deleting the engine element it is bound to in the Management Client. When unbound, such a license is shown as Retained.


7. Check the displayed license information, and that all the components you meant to license have disappeared from the Unlicensed Components folder.

8. You can leave the old licenses as they are, but if you so wish, you can remove them by right-clicking them and selecting Delete from the menu that opens.

If you are upgrading your system, proceed to Upgrading the Management Center.

Upgrading the Management CenterThis section provides an outline that should be sufficient in most cases. For more detailed instructions on how to upgrade the StoneGate Management Center, refer to the Management Center installation process described in Installing the Management Center, on page 23.There is no need to uninstall the previous version. The installer will detect the components that need to be upgraded. When upgrading from an older version, you may need to do an intermediate upgrade before upgrading to the most recent version. See the Release Notes for more information.It is possible to revert automatically to the previous installation, if the Management Center upgrade fails for some reason.We recommend that you backup the Management Server before upgrading it. You are also prompted for making an automatic backup of the Management Server data during the upgrade process. For more information on backing up StoneGate, refer to the Online Help.Before you start the installation, stop the previously installed Management Center components running on the target machine.

To upgrade StoneGate Management Center components1. Check that the StoneGate Management Server and Log Server processes or

services have stopped and that the Management Client is not running on the machine.

2. Insert the StoneGate installation CD-ROM and run the install executable. The License Agreement is shown.

3. Read and accept the License Agreement to continue with the installation.


Illustration 8.4 Defining the Installation Directory

Illustration 8.5 Selecting the Components for Upgrade

4. When upgrading the Management Server, you are prompted to back up the current Management Server data as a precaution. Select Yes to back up the Management Server data to the <installation directory>/backups/ directory.

Caution – If you are working on a Windows system and you run any StoneGate component as a service, make sure that you have closed the Services window before you complete the next step.

5. Check the pre-installation summary and click Install to continue. The upgrade begins.

Installation directory is detected automatically.

All installed components must be upgraded at the same time. You can add more components, if you wish (in that case, see Installing the Management Center, on page 23 for installation instructions).

You can automatically revert to the previously installed version if there are problems with the upgrade.

Upgrading the Management Center 127

• If any system components change in the upgrade, you will be notified of the changes at the end of the upgrade. Click the link(s) in the notification to view the report(s) of system changes in your Web browser.

6. When the upgrade is complete, click Done to close the window. You may have to reboot before you can start the upgraded components.

All Management Clients and Monitoring Clients (if used) must also be upgraded to the new version:• If administrators have Management Clients or Monitoring Clients that were installed

locally, they must be upgraded in the same way as explained above.• If you are distributing Web Start Management Clients from an external server, install

a new Web Start package in the same way as the original installation was made, see Distributing StoneGate Clients Through Web Start, on page 47.

• If you are distributing Web Start clients from the SMC servers, there is no need for a separate update. The local client installations are upgraded automatically when the administrators launch the clients after the SMC servers are upgraded.

The Management Center upgrade is complete. If you are installing new engine versions as well, proceed to Upgrading Engines Remotely, on page 128 or Upgrading Engines Locally, on page 131. If you have the latest engine version, you should check for new dynamic updates and import and activate them as explained in Installing Dynamic Updates, on page 39.

Upgrading Engines RemotelyStoneGate supports the remote upgrade of Sensor and Analyzer engines from the Management Server. During a Sensor cluster upgrade process, it is possible to have the upgraded nodes online and operational side by side with the older version nodes.The remote upgrade has two separate parts, transfer and activation. You can choose to do both parts consecutively, or you can choose to transfer the configuration now and then launch a separate task for the activation at a later time. You can also create a scheduled Task for the remote upgrade as instructed in the Online Help.You can set up Management Server to check periodically for engine upgrades on the Stonesoft website and to inform you of the engine upgrades. You can also configure that the engine upgrades are automatically downloaded. See the Online Help for more information.

Caution – If you are upgrading a Sensor cluster, all the nodes must be together online between upgrading individual nodes. Do not command another node offline before the upgraded node is back online.

Before upgrading StoneGate, check the installation package integrity using the MD5 or SHA-1 file checksums as explained in the Checking File Integrity, on page 121.


If you have not configured the engine upgrade files to be downloaded automatically, you must first import the engine upgrade file in the system. If the file is already in the system, proceed to Upgrading the Engine below.

To manually import the upgrade file1. If you have not configured automatic remote upgrades for engines, select

File →Import→Import Engine Upgrades. The StoneGate Engine Upgrades File Browser dialog opens.

2. Select the engine upgrade (sg_engine_version_platform.zip file) from the installation CD-ROM and click Import. • The engine upgrade is imported to the <installation directory>/data/engineupgrades/ directory on your Management Server.

Upgrading the Engine

To command a node offline for the upgrade

Illustration 8.6 Commanding Node Offline for Upgrade

2. If you want to activate the new version now (and not only transfer it), right-click the node you want to upgrade and select Commands→Go Offline from the menu that opens.

1. Click the System Status button.

Upgrading Engines Remotely 129

To start the upgrade

Illustration 8.7 Starting Upgrade Process

To select remote upgrade task options

Illustration 8.8 Remote Upgrade

Caution – Do not activate the new configuration simultaneously on all the nodes of a cluster. Activate the new configuration one node at a time.

When you have made the selections, click OK. A new tab opens showing the progress of the upgrade. The time it takes to upgrade the node varies depending on the

Right-click the node and select Upgrade Software from the menu that opens.

1. Select whether you want to transfer the new software and activate it later, or whether you want to do both now.

2. Check the node selection and modify, if necessary.

3. Check the Engine Version for the upgrade and change it, if necessary.


performance of your machine and the network environment. Click Abort, if you want to stop the upgrade.If you chose to activate the new configuration, once the engine is successfully upgraded, the machine is automatically rebooted and the upgraded engine is brought up to offline state.

To finish the upgradeWhen upgrade is ready, right-click the upgraded node and select Commands→Go Online to command the node online.

If you are upgrading a Sensor cluster, continue the upgrade on the next node when the upgraded node is operational. StoneGate operates normally with two different versions of the engines online during the upgrade.

Note – The engines have two partitions. When an engine is upgraded, the inactive partition is used. When the upgrade is finished, the active partition is switched. The earlier configuration is kept on the inactive partition. You can use the sg-toggle-active command to change the active partition or to downgrade to the previous engine version. See Command Line Tools, on page 141 for more information.

Proceed to check for new dynamic updates and import and activate them as explained in Installing Dynamic Updates, on page 39.

Upgrading Engines Local lyIn addition to upgrading the Sensor and Analyzer engines remotely from the Management Server, it is possible to upgrade the engines locally at the site as described in this section. During a Sensor cluster upgrade process, it is possible to have the upgraded nodes online and operational side by side with the older version nodes.

Caution – If you are upgrading a Sensor cluster, all the nodes must be together online between upgrading individual nodes. Do not command another node offline before the upgraded node is back online.

Proceed to Upgrading StoneGate IPS.

Upgrading StoneGate IPSFollow the procedure below to upgrade StoneGate engines to the latest version locally at the engine location.

To upgrade the engine1. Log in to the node as root.

Upgrading Engines Locally 131

2. Insert the StoneGate engine installation CD-ROM into the engine’s CD-ROM drive.

3. There are two ways to upgrade the node:• Normal upgrade: type the command sg-upgrade to start the upgrade process.

Continue in Step 6.• Upgrade with configuration options: reboot the node from the CD-ROM with the

command reboot. The upgrade uses the Installation Wizard. Continue in Step 4.

Illustration 8.9 Upgrade Options

4. If the node is rebooted from the CD-ROM, choose one of these four options:• Upgrade existing installation: choose this option to upgrade the previous

installation to a new version. This option is recommended for most upgrades.• Re-install using configuration from existing installation: choose this option to

re-install the engine using the existing configuration files. Refer to the platform- specific engine installation chapter for instructions.

• Full re-install: choose this option to reinstall the engine completely by removing the engine’s current configuration. Refer to the platform-specific engine installation chapter for instructions.

• Full re-install in expert mode: choose this option to reinstall the engine in expert mode by removing the engine’s current configuration. Refer to the platform-specific engine installation chapter for instructions.

5. Select 1 to upgrade the previous installation and press ENTER to continue. The upgrade process starts.

6. Right-click the upgraded node in the Management Client and select Go Online to command the node online. The node can also be put online with the command sg-cluster online on the node.

7. If you are upgrading a Sensor cluster, continue the upgrade on the next node only after the upgraded node is back online. StoneGate operates normally with two different versions online during the upgrade.


Note – The engines have two partitions. When an engine is upgraded, the inactive partition is used. When the upgrade is finished, the active partition is switched. The earlier configuration is kept on the inactive partition. You can use the sg-toggle-active command to change the active partition or to downgrade to the previous engine version. See Command Line Tools, on page 141 for more information.

Check for new dynamic updates and import and activate them as explained in Installing Dynamic Updates, on page 39.

Changing IP AddressingThe following instructions explain how you can change IP addresses without losing management connectivity. When you change IP addressing, other connections between the different components may be temporarily lost. Make sure that the connections return to normal after the IP address changes.

Note – If you do not mind losing management connectivity, you can change IP addressing by running the sg-reconfigure command on the engine command line to return the engine to the initial configuration state and to re-establish initial contact between the engine and the Management Server. See the Online Help for more information.

See the following sections:• Changing the Management Server’s IP Address, on page 133• Changing the Log Server’s IP Address, on page 134• Changing IP Addresses if the Management Server and the Log Server Run on the

Same Machine, on page 134

Changing the Management Server’s IP AddressThis section explains how to change the Management Server’s IP address if the Management Server and the Log Server are on different machines. If your Management Server and Log Server are on the same machine, see Changing IP Addresses if the Management Server and the Log Server Run on the Same Machine, on page 134.

To change the Management Server’s IP address1. Request an IP address change for your Management Server license at the

Stonesoft License Center (see Upgrading or Generating Licenses, on page 122).2. Run the sgChangeMgtIPOnMgtSrv script on the Management Server (see

Command Line Tools, on page 141).3. Run the sgChangeMgtIPOnLogSrv script on all the Log Servers (see Command

Line Tools, on page 141).

Changing IP Addressing 133

Changing the Log Server’s IP AddressWhen you change the Log Server’s IP address, the traffic between the Log Server and the engines is interrupted but the logs are spooled on the engines. Changing the IP address may also mean that the transfer of engine status and statistics information is temporarily interrupted.

To change the Log Server’s IP address1. Request an IP address change for your Log Server license at the Stonesoft

License center (see Upgrading or Generating Licenses, on page 122).2. Open the <installation directory>/data/LogServerConfiguration.txt

file on the Log Server and update the IP address information.3. Open the Log Server properties and update the IP address.4. Refresh the policies on the engines to transfer the changed IP address

information to them.

Changing IP Addresses if the Management Server and the Log Server Run on the Same MachineThis section explains how to change the Management Server’s IP address if the Management Server and the Log Server are on the same machine. If your Management Server and Log Server are on separate machines, see Changing the Management Server’s IP Address, on page 133 and Changing the Log Server’s IP Address, on page 134.When you change the Log Server’s IP address, the traffic between the Log Server and the engines is interrupted but the logs are spooled on the engines. Changing the IP address may also mean that the transfer of engine status and statistics information is temporarily interrupted.

To change IP Addresses if the Management Server and Log Server run on the same machine

1. Request an IP address change for your Management Server and Log Server licenses at the Stonesoft License Center (see Upgrading or Generating Licenses, on page 122).

2. Run the sgChangeMgtIPOnMgtSrv script on the Management Server.3. Run the sgChangeMgtIPOnLogSrv script on the Log Server.4. Open the <installation directory>/data/LogServerConfiguration.txt

file on the Log Server and update the IP address information.5. Open the Log Server properties and update the IP address.


CHAPTER 9 Uninstalling StoneGate

This chapter instructs how to uninstall the StoneGate software.


Uninstalling the Management Center, on page 136 Uninstalling the Engines, on page 137

135

Uninstal l ing the Management CenterThe Management Client uses a “.stonegate” directory in the user’s home directory in the operating system. The directory contains the Management Client configuration files. These files are not automatically deleted but can be removed manually after the uninstallation.

Uninstalling in WindowsIf you have several Management Center components installed on the same computer, they are all uninstalled at once. It is not possible to pick individual components to uninstall.

To uninstall in graphical mode1. Stop the Management Center components on the machine before you uninstall

StoneGate.2. Go the the Control Panel and start the Management Center uninstallation.

Alternatively, run the <installation directory>\uninstall\uninstall.bat script.

3. In the window that opens, right-click StoneGate and select Uninstall in the menu that opens.

Illustration 9.1 Uninstall StoneGate Management Center

4. Click Uninstall. All installed components are uninstalled.

To uninstall in non-graphical mode1. Run the uninstall script

<installation directory>\uninstall\uninstall.bat -nodisplay

136 Chapter 9: Uninstalling StoneGate

Uninstalling in Linux

To uninstall in graphical mode1. Stop the Management Center components on the machine before you uninstall

StoneGate.2. Run the <installation directory>/uninstall/uninstall.sh script.

To uninstall in non-graphical mode• Run the uninstall script

“. <installation directory>/uninstall/uninstall.sh -nodisplay”.The sgadmin account is deleted during the uninstallation.

Uninstal l ing the EnginesServers on which StoneGate IPS engines are installed are dedicated to their task as a Sensor and/or Analyzer. To remove StoneGate and transfer your server to other use, you must format the hard disk and install an operating system.

Caution – StoneGate appliances are designed to run the StoneGate IPS software. Do not attempt to remove the IPS software or install any other software on the appliances.

Uninstalling the Engines 137

138 Chapter 9: Uninstalling StoneGate

Appendices

APPENDIX A Command Line Tools

This appendix describes the command line tools for StoneGate Management Center and the engines.


Management Center Commands, on page 142 Engine Commands, on page 150

141

Management Center CommandsThe Management Server and the Log Server commands are found in the <installation directory>/bin/ directory. In Windows, the command line tools are *.bat script files. In Linux and Unix, the files are *.sh scripts.The command for post-processing report files is in the <installation directory>/data/reports/bin/ directory. It runs the sgPostProcessReport.bat (in Windows) or .sh script (in Linux/Unix) on the Management Server.

Note – Using the Management Client is the recommended configuration method, as most of the same tasks can be done through it.

TABLE A.1 Management Center Command Line Tools

Command Description

sgArchiveExport i=INPUT_FILEpass=PASSWORD [ e=FILTER_EXPRESSION ] [ f=FILTER_FILE ] [ format=CSV|XML ] [ host=ADDRESS ] [ login=LOGIN_NAME ] [ o=OUTPUT_FILE ] [ -v ] [ -h ]

Displays or exports logs from the log archive files. This command is available only on the Log Server.Enclose the file and filter names in double quotes if they contain spaces.i=INPUT_FILE parameter defines the source archive from which the logs will be exported.pass=PASSWORD parameter defines the password for the user account used for this export.e=FILTER_EXPRESSION parameter defines the filter that you want to use for filtering the log data for exporting. Type the name as shown in the Management Client. f=FILTER_FILE parameter defines the StoneGate filter exported to a file that you want to use for filtering the log data for exporting.format=[CSV|XML] parameter defines the file format for the output file. If this option is not defined, the XML format is used.host=ADDRESS parameter defines the address of the Management Server used for checking the login information. If this option is not defined, Management Server is expected to be on the same host where the script is run.login=LOGIN_NAME parameter defines the username for the account that is used for this export. If this option is not defined, the username root is used.o=OUTPUT_FILE parameter defines the destination file where the logs will be exported. If this option is not defined, the output is displayed on screen.-h option displays information on using the script.-v option displays verbose output on the command execution.

142 Appendix A: Command Line Tools

sgBackupLogSrv

Creates a backup of Log Server configuration data. The backup file is stored in the <installation directory>/backups/ directory. You can restore the backup using the sgRestoreLogBackup command. When creating or restoring the backup, twice the size of log database is required on the destination drive. Otherwise, the backup or restoration process fails.

sgBackupMgtSrv

Creates a backup of all Management Server configuration and database data. The backup file is stored in the <installation directory>/backups/ directory. You can restore the entire backup (the Management Server database and/or configuration files) using the sgRestoreMgtBackup command. You can restore just the Management Server database using the sgRecoverMgtDatabase command.When creating or restoring the backup, twice the size of the Management Server database is required on the destination drive. Otherwise, the backup or restoration process fails.

sgCertifyLogSrv

Certifies the Log Server on the Management Server. The certificate is required to allow secure communication between the Log Server and the Management Server.As long as the new certificate is issued by a trusted certificate authority, renewing the certificate does not require changing the configuration of any other system components.

sgCertifyMgtSrv

Recreates the Management Server’s certificate. The Management Server certificate is required for secure communications between the StoneGate system components, as well as for the VPN connections that use the certificate authentication.

sgCertifyMonitoringServerCertifies the Monitoring Server on the Management Server. The certificate is required to allow secure communication between the Monitoring Server and the Management Server.

sgChangeMgtIPOnLogSrv NEW_IP_ADDR

Changes the Management Server’s IP address on the Log Server. Use this command to configure a new Management Server’s IP address on the Log Server. Restart the Log Server after this command.NEW_IP_ADDR is the new Management Server’s IP address.

TABLE A.1 Management Center Command Line Tools (Continued)

Command Description

Management Center Commands 143

sgChangeMgtIPOnMgtSrv NEW_IP_ADDR

Changes the Management Server’s IP address. Use this command when you want to change the Management Server’s IP address to reflect changes made in the operating system. Restart the Management Server after this command. NEW_IP_ADDR is the new Management Server’s IP address

sgClient Starts the StoneGate Management Client.

sgCreateAdminCreates a superuser administrator account. The Management Server needs to be stopped before running this command.

sgDeleteElement[-host=MANAGEMENT_SERVER_ADDRESS][-user=LOGIN_NAME][-password=PASSWORD][-name=ELEMENT_TO_DELETE][-multiple=DELETE_ALL_MATCHES][-type=TYPE_OF_OBJECT][-listType=ALLOWED_OBJECT_TYPE][ -h ]

Deletes elements from the Management Server database. Run the command without arguments to see usage instructions.host=MANAGEMENT_SERVER_ADDRESS parameter defines the address of the Management Server from whose database the element(s) are deleted. If this parameter is not defined, the default address 127.0.0.1 is used for the operation.user=LOGIN_NAME parameter defines the username for the account that is used for this operation. If this parameter is not defined, the username root is used.password=PASSWORD parameter defines the password for the user account used for this operation.name=ELEMENT_TO_DELETE parameter defines the name of the element(s) to be deleted. Be default, only the first matching element is deleted.multiple=DELETE_ALL_MATCHES option defines that all the elements matching the value(s) set for the selected parameter(s) (for example, the name parameter) are deleted.type=TYPE_OF_OBJECT parameter defines the Type of the element(s) to be deleted.listType=ALLOWED_OBJECT_TYPE option lists the values that may be used with the type parameter.-h option displays information on using the script.


Command Description


sgExport [-host=host] -login=login name -password=password -file=file path and name -type= <all|nw|ips|sv|pa|rb|al>

[-recursion] [-name= <Element Name 1, Element Name 2, ...>]

Exports StoneGate Management Server database elements from an XML file. Run the command without arguments to see usage instructions.The optional Host parameter specifies the address of the host that holds or will hold the import file. If no specific host address is given, the host where the script is executed is used for the operation.Login and password can be for any valid Administrator account.The type parameter specifies which types of elements are included in the export file: all=all exportable elements, nw=network elements, ips=IPS elements sv=services, pa=protocol agents, rb=security policies, al=alerts.The optional recursion parameter includes referenced elements in the export, for example, the network elements used in a policy that you export.The optional name parameter allows you to specify by name the element(s) that you want to export.

sgHA [host=host] login=login name password=password [-h|--help] [-set-active] [-set-standby][-force-active][-sync]

Switches between the active and the standby management servers.-h | --help options display the help message.-set-active option sets a standby management server as the active management server, sets the formerly active management server as a standby management server, and synchronizes the database between them.-set-standby option sets the active management server as a standby management server.-force-active option sets a standby management server as the active management server without synchronizing the database with the formerly active management server.-sync option functions differently on a standby management server and an active management server. If you run it on an active management server, it replicates the active database to every standby management server that does not have the Disable Database Replication option selected in its properties. If you run it on a standby management server, it replicates the active database from the active management server only to this standby management server (regardless of whether the Disable Database Replication option is or is not selected in the standby management server’s properties).


Command Description


sgImport [host=host] login=login name password=password file=file path and name

Imports StoneGate Management Server database elements from an XML file. Run the command without arguments to see usage instructions.The optional Host parameter specifies the address of the host that holds or will hold the import file. If no specific host address is given, the host where the script is executed is used for the operation.Login and password can be for any valid Administrator account.When importing, existing (non-default) elements are overwritten, unless the element types mismatch.

sgImportExportUser [host=host] login=login name pass=password action=[import|export] file=file path and name

Imports and exports a list of Users and User Groups in an LDIF file from/to the Management Server’s internal LDAP database. To import User Groups, all User Groups in the LDIF file must be directly under the stonegate top-level group (dc=stonegate).Host specifies the address of the host that holds or will hold the LDIF file. If no specific host address is given, the host where the script is executed is used for the operation.Example: sgImportExportUser login=ricky pass=abc123 action=export file=c:\temp\exportedusers.ldif

The user information in the export file is stored as plaintext. Handle the file securely.

sgInfo

Creates a ZIP file that contains copies of configuration files and the system trace files containing logs on problem situations. The ZIP file is stored in the user’s home directory. The file location is displayed on the last line of screen output. Provide the generated file to Stonesoft support for troubleshooting purposes.

sgReinitializeLogServerRecreates the Log Server configuration if the configuration file has been lost.


Command Description


sgReplicate [-h|--help] [-nodiskcheck] [-backup backupname]-standby-server management-name

Replicates Management Server backup to the Secondary Management Server.-h | --help options display the help message-backup backupname option specifies the location of the backup file. If this is not specified, you are prompted to select the backup file from a list of files found in the backups directory.-nodiskcheck option disables the free disk space check before the backup restoration.-standby-server management-name option specifies the Secondary Management Server on which the backup is replicated.

sgRestoreArchive ARCHIVE_DIR

Restores logs from archive files to the Log Server. This command is available only on the Log Server. ARCHIVE_DIR is the number of the archive directory (0 – 31) from where the logs will be restored. By default, only archive directory 0 is defined. The archive directories can be defined in the <installation directory>/data/LogServerConfiguration.txt file: ARCHIVE_DIR_xx=PATH.

sgRestoreCertificateRestores the Certificate Authority (CA) or the Management Server certificate from a backup file in the <installation directory>/backups/ directory.

sgRestoreLogBackupRestores the Log Server (logs and/or configuration files) from a backup file in the <installation directory>/backups/ directory.

sgRestoreMgtBackupRestores the Management Server (database and/or configuration files) from a backup file in the <installation directory>/backups/ directory.

sgShowFingerPrintDisplays the CA certificate’s fingerprint on the Management Server.

sgStartLogDatabaseStarts the Log Server’s database. (The Log Server’s database is started and stopped automatically when starting/stopping the Log Server service.)

sgStartLogSrv Starts the Log Server and its database.


Command Description


sgStartMgtDatabaseStarts the Management Server’s database. (The Management Server’s database is started and stopped automatically when starting/stopping the Management Server service.)

sgStartMgtSrv Starts the Management Server and its database.

sgStartMonitoringServer Starts the Monitoring Server used by the Monitoring Client.

sgStopLogDatabase Stops the Log Server’s database.

sgStopMgtDatabaseStops the Management Server’s database. (The Management Server’s database is started and stopped automatically when starting/stopping the Management Server service.)

sgStopMonitoringServer Stops the Monitoring Server used by the Monitoring Client.

sgStopRemoteMgtSrv [-host HOST] [-port PORTNUM] [-login LOGINNAME] [-pass PASSWORD]

Stops the Management Server service when run without arguments. To stop a remote Management Server service, provide the arguments to connect to the Management Server.HOST is the Management Server’s host name if not localhost.PORT is the Management Server’s Management Client port number (by default, 8902).LOGINNAME is a StoneGate administrator account for the login.PASSWORD is the password for the administrator account.


Command Description


sgTextBrowser pass=PASSWORD [ e=FILTER_EXPRESSION ] [ f=FILTER_FILE ] [ format=CSV|XML ] [ host=ADDRESS ] [ login=LOGIN_NAME ] [ o=OUTPUT_FILE ] [ m=current|stored ] [ -v ] [ -h ]

Displays or exports current or stored logs. This command is available only on the Log Server.Enclose the file and filter names in double quotes if they contain spaces.pass=PASSWORD parameter defines the password for the user account used for this operation.e=FILTER_EXPRESSION parameter defines the filter that you want to use for filtering the log data. Type the name as shown in the Management Client. f=FILTER_FILE parameter defines the StoneGate filter exported to a file that you want to use for filtering the log data.format=[CSV|XML] parameter defines the file format for the output file. If this option is not defined, the XML format is used.host=ADDRESS parameter defines the address of the Management Server used for checking the login information. If this option is not defined, Management Server is expected to be on the same host where the script is run.login=LOGIN_NAME parameter defines the username for the account that is used for this export. If this option is not defined, the username root is used.o=OUTPUT_FILE parameter defines the destination file where the logs will be exported. If this option is not defined, the output is displayed on screen.m=current|stored parameter defines whether you want to view or export logs as they arrive on the Log Server (current) or logs stored in the active storage directory (stored). If this option is not defined, the current logs are used.-h option displays information on using the script.-v option displays verbose output on the command execution.


Command Description


Engine CommandsStoneGate engine commands can be run from the command line on the analyzer or the sensor.

TABLE A.2 StoneGate-specific Command Line Tools on Engines

Command Description

sg-bootconfig[--primary-console=tty0|ttyS PORT,SPEED][--secondary-console= [tty0|ttyS PORT,SPEED]][--flavor=up|smp][--initrd=yes|no][--crashdump=yes|no|Y@X][--append=kernel options][--help]apply

Can be used to edit boot command parameters for future bootups.--primary-console=tty0|ttyS PORT,SPEED parameter defines the terminal settings for the primary console.--secondary-console= [tty0|ttyS PORT,SPEED] parameter defines the terminal settings for the secondary console.--flavor=up|smp [-kdb] parameter defines whether the kernel is uniprocessor or multiprocessor.--initrd=yes|no parameter defines whether Ramdisk is enabled or disabled.--crashdump=yes|no|Y@X parameter defines whether kernel crashdump is enabled or disabled, and how much memory is allocated to the crash dump kernel (Y). The default is 24M. X must always be 16M.--append=kernel options parameter defines any other boot options to add to the configuration.--help parameter displays usage information.apply command applies the specified configuration options.

sg-clear-all

Use this only if you want to return a StoneGate appliance to its factory settings.Clears all configuration from the engine. You must have a serial console connection to the engine to use this command.

sg-contact-mgmt

Used for establishing a trust relationship with the Management Server as part of engine installation or reconfiguration (see sg-reconfigure below). The engine contacts the Management Server using the one-time password created when the engine’s initial configuration is saved.


sg-logger -f FACILITY_NUMBER -t TYPE_NUMBER [-e EVENT_NUMBER] [-i "INFO_STRING"][-s] [-h]

Can be used in scripts to create log messages with the specified properties.-f FACILITY_NUMBER parameter defines the facility for the log message.-t TYPE_NUMBER parameter defines the type for the log message.-e EVENT_NUMBER parameter defines the log event for the log message. The default is 0 (H2A_LOG_EVENT_UNDEFINED).-i "INFO_STRING" parameter defines the information string for the log message.-s parameter dumps information on option numbers to stdout-h parameter displays usage information.

sg-raid[-status] [-add] [-re-add] [-force][-help]

Configures a new hard drive on a StoneGate appliance. This command is only available for StoneGate appliances that support RAID (Redundant Array of Independent Disks) and have two hard drives.-status option displays the status of the hard drive.-add options adds a new empty hard drive. Use -add -force if you want to add a hard drive that already contains data and you want to overwrite it.-re-add adds a hard drive that is already partitioned. This command prompts for the drive and partition for each degraded array. Use -re-add -force if you want to check all the arrays.-help option option displays usage information.

sg-reconfigure[--boot][--maybe-contact][--no-shutdown]

Used for reconfiguring the node manually.--boot option applies bootup behavior. Do not use this option unless you have a specific need to do so.--maybe-contact option contacts the Management Server if requested. This option is only available on firewall engines.--no-shutdown option allows you to make limited configuration changes on the node without shutting it down. Some changes may not be applied until the node is rebooted.

sg-status [-l] [-h] Displays information on the engine’s status.-l option displays all available information on engine status.-h option displays usage information.

TABLE A.2 StoneGate-specific Command Line Tools on Engines (Continued)

Command Description

Engine Commands 151

The table below lists some general operating system commands that may be useful in running your StoneGate engines. Some commands can be stopped by pressing Ctrl+c.

sg-toggle-active SHA1 SIZE |--force [--debug]

Switches the engine between the active and the inactive partition. This change takes effect when you reboot the engine.You can use this command, for example, if you have upgraded an engine and want to switch back to the earlier engine version. When you upgrade the engine, the active partition is switched. The earlier configuration remains on the inactive partition. To see the currently active (and inactive) partition, see the directory listing of /var/run/stonegate (ls-l /var/run/stonegate.The SHA1 SIZE option is used to verify the signature of the inactive partition before changing it to active. If you downgrade the engine, check the checksum and the size of the earlier upgrade package by extracting the signature and size files from the sg_engine_[version.build]_i386.zip file.--debug option reboots the engine with the debug kernel.--force option switches the active configuration without first verifying the signature of the inactive partition.

sg-version Displays the software version and build number for the node.

sginfo [-f] [-d] [-s] [-p] [--] [--help]

Gathers system information you can send to Stonesoft support if you are having problems. Use this command only when instructed to do so by Stonesoft support.-f option forces sgInfo even if the configuration is encrypted.-d option includes core dumps in the sgInfo file.-s option includes slapcat output in the sgInfo file.-p option includes passwords in the sgInfo file (by default passwords are erased from the output).-- option creates the sgInfo file without displaying the progress--help option displays usage information.

TABLE A.2 StoneGate-specific Command Line Tools on Engines (Continued)

Command Description

TABLE A.3 General Command Line Tools on Engines

Command Description

dmesgShows system logs and other information. Use the -h option to see usage.


halt Shuts down the system.

ipDisplays IP-address related information. Type the command without options to see usage. Example: type ip addr for basic information on all interfaces.

pingTool for sending ICMP echo packages to test connectivity. Type the command without options to see usage.

ps Reports status of running processes.

rebootReboots the system. Upon reboot, you enter a menu with startup options. For example, this menu allows you to return the engine to the previous configuration.

scp Secure copy. Type the command without options to see usage.

sftpSecure FTP (for transferring files securely). Type the command without options to see usage.

sshSSH client (for opening a terminal connection to other hosts). Type the command without options to see usage.

tcpdumpGives information on network traffic. Use the -h option to see usage.

topDisplays the top CPU processes taking most processor time. Use the -h option to see usage.

tracerouteTraces the route packets take to the specified destination. Type the command without options to see usage.

vpninfoOutputs various VPN related information. Type the command without options to see usage.

TABLE A.3 General Command Line Tools on Engines (Continued)

Command Description

Engine Commands 153


APPENDIX B StoneGate IPS Ports

StoneGate IPS uses SSL/TLS-secured TCP connections between the system components. The connections and the TCP ports used are illustrated below.

Illustration B.1 TCP Connections Between the StoneGate IPS Components

155

In Illustration B.1, the listening TCP ports are indicated in the boxes next to each system component. The connections are established in the direction of the arrows. The dashed arrows indicate the one-time connections during the initial configuration of the system components when they establish a trust relationship with the Management Server. After a successful initial connection, all the communications between the components take place as indicated by the arrows with the solid lines.The following table lists the ports used in communication between the StoneGate IPS components.

TABLE B.1 StoneGate IPS Ports

Listening hosts Port/Protocol Contacting

Hosts Service Description Service Element Name

Analyzer 18889/TCPManagement Server

Control connections, status monitoring, and policy upload

SG Commands (Analyzer)

Analyzer 18890/TCP Sensor Event data sent from the Sensors. SG Event Transfer

Analyzer 4950/TCPManagement Server

Remote upgrade from the Management Server

SG Remote-Upgrade

Analyzer 514/UDP syslogSyslog messages forwarded to Analyzer

Syslog (UDP)

Log Server 3020/TCPAnalyzer, Sensor

Log and alert messages from Analyzers and recording file transfers from Sensors

SG Log

Log Server8914-8918/TCP

Management Client, Monitoring Server

Management Client and Monitoring Server connections to the Log Server.

SG Data Browsing, SG Data Browsing (Monitoring Server)

Management Server

3021/TCPSensor, Analyzer

Initial contact from Sensor or Analyzer during installation

SG Initial Contact

Management Server

5936/TCP Log ServerInitial contact from Log Server during installation

SG Log Initial Contact

Management Server

8902-8913/TCP

Management Client, Log Server

Management Client and Log Server connections to the Management Server

SG Control

Monitoring Server

8919-8921/TCP

Monitoring Client

Monitoring Client connection to Monitoring Server.

SG Control (Monitoring Client)

156 Appendix B: StoneGate IPS Ports

Sensor 18888/TCPManagement Server

Control connections, status monitoring, and policy upload

SG Commands (Sensor)

Sensor

3000-3001/UDP3002,3003, 3010/TCP

SensorHeartbeat and state synchronization between the cluster nodes.

SG State Sync (Multicast), SG State Sync (Unicast), SG Data Sync

Sensor 4950/TCPManagement Server

Remote upgrade from the Management Server

SG Remote Upgrade

StoneGate firewall

15000/TCPManagement Server, Analyzer

Blacklist entries sent to firewall SG Blacklisting

TABLE B.1 StoneGate IPS Ports (Continued)

Listening hosts Port/Protocol Contacting

Hosts Service Description Service Element Name

157

158 Appendix B: StoneGate IPS Ports

APPENDIX C Example Network Scenario

To give you a better understanding of how StoneGate fits into a network, this section outlines a network with IPS Sensors and Analyzers.All illustrations of the software configuration in the subsequent chapters are filled in according to this example scenario; this way, you can compare how the settings in the various dialogs relate to overall network structure whenever you like.


Overview of the Example Network, on page 160 Example Management Center, on page 161 Example Combined Sensor-Analyzer, on page 161 Example Sensor Cluster, on page 162 Example Single Sensor, on page 163 Example Analyzer, on page 163

159

Overview of the Example NetworkThree example Sensor installations are described in this Guide: • a combined Sensor-Analyzer• a single Sensor• a Sensor cluster installation. The two different Analyzer installations are illustrated with • a combined Sensor-Analyzer • an Analyzer on a separate machine. The network scenario for these installations is based on the example network in Figure C.1.Please, see the StoneGate IPS Administrator’s Reference for more information on deploying the StoneGate IPS components.

FIGURE C.1 Example Network Scenario

160 Appendix C: Example Network Scenario

Example Management CenterThe SMC of the example scenario is described in Table C.1.

Example Combined Sensor-AnalyzerIn the example scenario, the Branch Office Sensor-Analyzer in the Branch Office network is a combined Sensor-Analyzer.

TABLE C.1 SMC in the Example Scenario

SMC Component Description

Management Server

The Management Server in the Headquarters’ Management Network with the IP address 192.168.10.200. This Management Server manages all the StoneGate IPS Sensors, Analyzers, and Log Servers of the example network.

HQ Log ServerThis server is located in the Headquarters’ Management Network with the IP address 192.168.10.201. This Log Server receives alerts and log data from the HQ Analyzer.

Branch Office Log Server

This server is located in the Branch Office Intranet with the IP address 172.16.2.201. This Log Server receives alerts and log data from the Branch Office Sensor-Analyzer.

Management Client

The Management Client can be at any location where it can connect to the Management Server and the Log Servers (for alert and log management). It is also possible to use multiple Management Clients in different locations. In this example, the Management Client is located in the Headquarters’ Management Network.

TABLE C.2 Combined Sensor-Analyzer in the Example Scenario

Network Interface Description

Capture Interfaces

The Branch Office Sensor-Analyzer has two Capture Interfaces that are connected to a network TAP in a Branch Office Intranet: one interface for each direction of the traffic. All the traffic in this network segment is forwarded to the network TAP for inspection

Example Management Center 161

Example Sensor ClusterIn the example scenario, HQ Sensor Cluster is a cluster located in the Headquarters network. The cluster consists of two Sensor nodes: Node 1 and Node 2.

NDIs

The Branch Office Sensor-Analyzer has one NDI that is connected to the Branch Office Intranet using the IP address 172.16.2.41. This NDI is used for:control connections from the Management Serversending log data and alerts to the Branch Office Log Serverfor TCP connection termination (by the Sensor)

TABLE C.2 Combined Sensor-Analyzer in the Example Scenario (Continued)


TABLE C.3 Sensor Cluster in the Example Scenario


Capture Interfaces

The HQ Sensor Cluster’s Capture Interface on each node is connected to a SPAN port in the Headquarters Intranet switch. All the traffic in this network segment is forwarded to the SPAN ports for inspection.

NDIs

The NDI on each node is connected to the Headquarters Intranet with Node 1’s IP address 172.16.1.41 and Node 2’s address 172.16.1.42. This NDI is used for:control connections from the Management Serversending events to the HQ Analyzerfor TCP connection termination.

Heartbeat interfaces

The nodes have heartbeat interfaces connected to the dedicated heartbeat network 10.42.1.0/24 as follows: Node 1 uses the IP address 10.42.1.41 and Node 2 uses the IP address 10.42.1.42.


Example Single SensorIn the example scenario, the DMZ Sensor in the Headquarters DMZ network is a single Sensor.

Example AnalyzerIn the example scenario, the HQ Analyzer is located in the Headquarters’ Management network.

TABLE C.4 Single Sensor in the Example Scenario


Capture Interfaces

The DMZ Sensor’s Capture Interface is connected to a SPAN port in the Headquarters’ DMZ Network. All the traffic in this network segment is forwarded to the SPAN port for inspection.

NDIs

The NDI is connected to the DMZ network using the IP address 192.168.1.41. This NDI is used for:control connections from the Management Serversending event information to the HQ Analyzerfor TCP connection termination.

TABLE C.5 Analyzer in the Example Scenario


NDIs

The HQ Analyzer’s NDI is connected to the Headquarters’ Management Network using the IP address 192.168.10.61. This NDI is used for:control connections from the Management Serverreceiving event information from the HQ Sensor Cluster and the DMZ Sensorsending log data and alerts to the HQ Log Serversending IP Blacklists to the defined firewalls.

Example Single Sensor 163


Legal Information

LicensesStonesoft products are sold pursuant to their relevant End-User License Agreements. By installing or otherwise using Stonesoft products in any way, end-users agree to be bound by such agreement(s). See Stonesoft's website, www.stonesoft.com for further details.If Licensee is acquiring the Software, including accompanying documentation on behalf of the U.S. Government, the following provisions apply. If the Software is supplied to the Department of Defense (“DoD”), the Software is subject to “Restricted Rights”, as that term is defined in the DOD Supplement to the Federal Acquisition Regulations (“DFAR”) in paragraph 252.227-7013(c) (1). If the Software is supplied to any unit or agency of the United States Government other than DOD, the Government’s rights in the Software will be as defined in paragraph 52.227-19(c) (2) of the Federal Acquisition Regulations (“FAR”). Use, duplication, reproduction or disclosure by the Government is subject to such restrictions or successor provisions.

Product Export RestrictionsThe products described in this document are subject to export control under the laws of Finland and the European Council Regulation (EC) N:o 1334/2000 of 22 June 2000 setting up a Community regime for the control of exports of dual-use items and technology (as amended). Thus, the export of this Stonesoft software in any manner is restricted and requires a license by the relevant authorities.

Licenses 165

http://www.stonesoft.com/

Patent NoticeMulti-Link, Multi-Link VPN, and the StoneGate clustering technology—as well as other technologies included in StoneGate—are protected by pending patent applications in the U.S. and other countries.

End-User Licence AgreementThe use of the Stonegate products is subject to the then current end-user license agreement, which can be found at the Stonesoft website: www.stonesoft.com/en/support/eula.html.

Software Licensing InformationThe StoneGate software includes several open source or third-party software packages to support certain features. This section provides the appropriate software licensing information for those products.

GNU General Public LicenseVersion 2, June 1991Copyright (C) 1989, 1991 Free Software Foundation, Inc. 59 Temple Place, Suite 330, Boston, MA 02111-1307 USAEveryone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed.PreambleThe licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public License is intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users. This General Public License applies to most of the Free Software Foundation's software and to any other program whose authors commit to using it. (Some other Free Software Foundation software is covered by the GNU Library General Public License instead.) You can apply it to your programs, too.When we speak of free software, we are referring to freedom, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish), that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free programs; and that you know you can do these things.To protect your rights, we need to make restrictions that forbid anyone to deny you these rights or to ask you to surrender the rights. These restrictions translate to certain responsibilities for you if you distribute copies of the software, or if you modify it.For example, if you distribute copies of such a program, whether gratis or for a fee, you must give the recipients all the rights that you have. You must make sure that they, too, receive or can get the source code. And you must show them these terms so they know their rights.We protect your rights with two steps: (1) copyright the software, and (2) offer you this license which gives you legal permission to copy, distribute and/or modify the software.Also, for each author's protection and ours, we want to make certain that everyone understands that there is no warranty for this free software. If the software is modified by someone else and passed on, we want its recipients to know that what they have is not the original, so that any problems introduced by others will not reflect on the original authors' reputations.Finally, any free program is threatened constantly by software patents. We wish to avoid the danger that redistributors of a free program will individually obtain patent licenses, in effect making the program proprietary. To prevent this, we have made it clear that any patent must be licensed for everyone's free use or not licensed at all.The precise terms and conditions for copying, distribution and modification follow.

166 Legal Information



GNU GENERAL PUBLIC LICENSETERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION1. This License applies to any program or other work which contains a notice placed by the copyright holder saying it may

be distributed under the terms of this General Public License. The "Program", below, refers to any such program or work, and a "work based on the Program" means either the Program or any derivative work under copyright law: that is to say, a work containing the Program or a portion of it, either verbatim or with modifications and/or translated into another language. (Hereinafter, translation is included without limitation in the term "modification".) Each licensee is addressed as "you".

Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running the Program is not restricted, and the output from the Program is covered only if its contents constitute a work based on the Program (independent of having been made by running the Program). Whether that is true depends on what the Program does.1. You may copy and distribute verbatim copies of the Program's source code as you receive it, in any medium, provided

that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and give any other recipients of the Program a copy of this License along with the Program.You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee.

2. You may modify your copy or copies of the Program or any portion of it, thus forming a work based on the Program, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions:

a) You must cause the modified files to carry prominent notices stating that you changed the files and the date of any change.

b) You must cause any work that you distribute or publish, that in whole or in part contains or is derived from the Program or any part thereof, to be licensed as a whole at no charge to all third parties under the terms of this License.

c) If the modified program normally reads commands interactively when run, you must cause it, when started running for such interactive use in the most ordinary way, to print or display an announcement including an appropriate copyright notice and a notice that there is no warranty (or else, saying that you provide a warranty) and that users may redistribute the program under these conditions, and telling the user how to view a copy of this License. (Exception: if the Program itself is interactive but does not normally print such an announcement, your work based on the Program is not required to print an announcement.)

These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Program, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Program, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it.Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Program.In addition, mere aggregation of another work not based on the Program with the Program (or with a work based on the Program) on a volume of a storage or distribution medium does not bring the other work under the scope of this License.

3. You may copy and distribute the Program (or a work based on it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you also do one of the following:

a) Accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or,

b) Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or,

c) Accompany it with the information you received as to the offer to distribute corresponding source code. (This alternative is allowed only for noncommercial distribution and only if you received the program in object code or executable form with such an offer, in accord with Subsection b above.)

The source code for a work means the preferred form of the work for making modifications to it. For an executable work, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable. However, as a special exception, the source code distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable.If distribution of executable or object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place counts as distribution of the source code, even though third parties are not compelled to copy the source along with the object code.

4. You may not copy, modify, sublicense, or distribute the Program except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense or distribute the Program is void, and will automatically terminate your

Software Licensing Information 167

rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance.

5. You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Program or its derivative works. These actions are prohibited by law if you do not accept this License. Therefore, by modifying or distributing the Program (or any work based on the Program), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Program or works based on it.

6. Each time you redistribute the Program (or any work based on the Program), the recipient automatically receives a license from the original licensor to copy, distribute or modify the Program subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties to this License.

7. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Program at all. For example, if a patent license would not permit royalty-free redistribution of the Program by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Program.If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply and the section as a whole is intended to apply in other circumstances.It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of the free software distribution system, which is implemented by public license practices. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system; it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice.This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License.

8. If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded. In such case, this License incorporates the limitation as if written in the body of this License.

9. The Free Software Foundation may publish revised and/or new versions of the General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns.Each version is given a distinguishing version number. If the Program specifies a version number of this License which applies to it and "any later version", you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Program does not specify a version number of this License, you may choose any version ever published by the Free Software Foundation.

10. If you wish to incorporate parts of the Program into other free programs whose distribution conditions are different, write to the author to ask for permission. For software which is copyrighted by the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally.

NO WARRANTY11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE

EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.

12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

END OF TERMS AND CONDITIONSHow to Apply These Terms to Your New ProgramsIf you develop a new program, and you want it to be of the greatest possible use to the public, the best way to achieve this is to make it free software which everyone can redistribute and change under these terms.


To do so, attach the following notices to the program. It is safest to attach them to the start of each source file to most effectively convey the exclusion of warranty; and each file should have at least the "copyright" line and a pointer to where the full notice is found. <one line to give the program's name and a brief idea of what it does.>Copyright (C) <year> <name of author> This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USAAlso add information on how to contact you by electronic and paper mail.If the program is interactive, make it output a short notice like this when it starts in an interactive mode: Gnomovision version 69, Copyright (C) year name of authorGnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. This is free software, and you are welcome to redistribute it under certain conditions; type `show c' for details.The hypothetical commands `show w' and `show c' should show the appropriate parts of the General Public License. Of course, the commands you use may be called something other than `show w' and `show c'; they could even be mouse-clicks or menu items--whatever suits your program.You should also get your employer (if you work as a programmer) or your school, if any, to sign a "copyright disclaimer" for the program, if necessary. Here is a sample; alter the names: Yoyodyne, Inc., hereby disclaims all copyright interest in the program‘Gnomovision’ (which makes passes at compilers) written by James Hacker. <signature of Ty Coon>, 1 April 1989 Ty Coon, President of ViceThis General Public License does not permit incorporating your program into proprietary programs. If your program is a subroutine library, you may consider it more useful to permit linking proprietary applications with the library. If this is what you want to do, use the GNU Library General Public License instead of this License.

GNU LESSER GENERAL PUBLIC LICENSEVersion 2.1, February 1999Copyright (C) 1991, 1999 Free Software Foundation, Inc. 59 Temple Place, Suite 330, Boston, MA 02111-1307 USAEveryone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed.[This is the first released version of the Lesser GPL. It also counts as the successor of the GNU Library Public License, version 2, hence the version number 2.1.]PreambleThe licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public Licenses are intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users.This license, the Lesser General Public License, applies to some specially designated software packages--typically libraries--of the Free Software Foundation and other authors who decide to use it. You can use it too, but we suggest you first think carefully about whether this license or the ordinary General Public License is the better strategy to use in any particular case, based on the explanations below.When we speak of free software, we are referring to freedom of use, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish); that you receive source code or can get it if you want it; that you can change the software and use pieces of it in new free programs; and that you are informed that you can do these things.To protect your rights, we need to make restrictions that forbid distributors to deny you these rights or to ask you to surrender these rights. These restrictions translate to certain responsibilities for you if you distribute copies of the library or if you modify it.For example, if you distribute copies of the library, whether gratis or for a fee, you must give the recipients all the rights that we gave you. You must make sure that they, too, receive or can get the source code. If you link other code with the library, you must provide complete object files to the recipients, so that they can relink them with the library after making changes to the library and recompiling it. And you must show them these terms so they know their rights.We protect your rights with a two-step method: (1) we copyright the library, and (2) we offer you this license, which gives you legal permission to copy, distribute and/or modify the library.


To protect each distributor, we want to make it very clear that there is no warranty for the free library. Also, if the library is modified by someone else and passed on, the recipients should know that what they have is not the original version, so that the original author's reputation will not be affected by problems that might be introduced by others.Finally, software patents pose a constant threat to the existence of any free program. We wish to make sure that a company cannot effectively restrict the users of a free program by obtaining a restrictive license from a patent holder. Therefore, we insist that any patent license obtained for a version of the library must be consistent with the full freedom of use specified in this license.Most GNU software, including some libraries, is covered by the ordinary GNU General Public License. This license, the GNU Lesser General Public License, applies to certain designated libraries, and is quite different from the ordinary General Public License. We use this license for certain libraries in order to permit linking those libraries into non-free programs.When a program is linked with a library, whether statically or using a shared library, the combination of the two is legally speaking a combined work, a derivative of the original library. The ordinary General Public License therefore permits such linking only if the entire combination fits its criteria of freedom. The Lesser General Public License permits more lax criteria for linking other code with the library.We call this license the "Lesser" General Public License because it does Less to protect the user's freedom than the ordinary General Public License. It also provides other free software developers Less of an advantage over competing non-free programs. These disadvantages are the reason we use the ordinary General Public License for many libraries. However, the Lesser license provides advantages in certain special circumstances.For example, on rare occasions, there may be a special need to encourage the widest possible use of a certain library, so that it becomes a de-facto standard. To achieve this, non-free programs must be allowed to use the library. A more frequent case is that a free library does the same job as widely used non-free libraries. In this case, there is little to gain by limiting the free library to free software only, so we use the Lesser General Public License.In other cases, permission to use a particular library in non-free programs enables a greater number of people to use a large body of free software. For example, permission to use the GNU C Library in non-free programs enables many more people to use the whole GNU operating system, as well as its variant, the GNU/Linux operating system.Although the Lesser General Public License is Less protective of the users' freedom, it does ensure that the user of a program that is linked with the Library has the freedom and the wherewithal to run that program using a modified version of the Library. The precise terms and conditions for copying, distribution and modification follow. Pay close attention to the difference between a "work based on the library" and a "work that uses the library". The former contains code derived from the library, whereas the latter must be combined with the library in order to run.GNU LESSER GENERAL PUBLIC LICENSETERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION0. This License Agreement applies to any software library or other program which contains a notice placed by the copyright holder or other authorized party saying it may be distributed under the terms of this Lesser General Public License (also called "this License"). Each licensee is addressed as "you".A "library" means a collection of software functions and/or data prepared so as to be conveniently linked with application programs (which use some of those functions and data) to form executables.The "Library", below, refers to any such software library or work which has been distributed under these terms. A "work based on the Library" means either the Library or any derivative work under copyright law: that is to say, a work containing the Library or a portion of it, either verbatim or with modifications and/or translated straightforwardly into another language. (Hereinafter, translation is included without limitation in the term "modification".)"Source code" for a work means the preferred form of the work for making modifications to it. For a library, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the library.Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running a program using the Library is not restricted, and output from such a program is covered only if its contents constitute a work based on the Library (independent of the use of the Library in a tool for writing it). Whether that is true depends on what the Library does and what the program that uses the Library does.1. You may copy and distribute verbatim copies of the Library's complete source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and distribute a copy of this License along with the Library.You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee.2. You may modify your copy or copies of the Library or any portion of it, thus forming a work based on the Library, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions:a) The modified work must itself be a software library.b) You must cause the files modified to carry prominent notices stating that you changed the files and the date of any change.


c) You must cause the whole of the work to be licensed at no charge to all third parties under the terms of this License.d) If a facility in the modified Library refers to a function or a table of data to be supplied by an application program that uses the facility, other than as an argument passed when the facility is invoked, then you must make a good faith effort to ensure that, in the event an application does not supply such function or table, the facility still operates, and performs whatever part of its purpose remains meaningful.(For example, a function in a library to compute square roots has a purpose that is entirely well-defined independent of the application. Therefore, Subsection 2d requires that any application-supplied function or table used by this function must be optional: if the application does not supply it, the square root function must still compute square roots.)These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Library, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Library, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it.Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Library.In addition, mere aggregation of another work not based on the Library with the Library (or with a work based on the Library) on a volume of a storage or distribution medium does not bring the other work under the scope of this License.3. You may opt to apply the terms of the ordinary GNU General Public License instead of this License to a given copy of the Library. To do this, you must alter all the notices that refer to this License, so that they refer to the ordinary GNU General Public License, version 2, instead of to this License. (If a newer version than version 2 of the ordinary GNU General Public License has appeared, then you can specify that version instead if you wish.) Do not make any other change in these notices.Once this change is made in a given copy, it is irreversible for that copy, so the ordinary GNU General Public License applies to all subsequent copies and derivative works made from that copy.This option is useful when you wish to copy part of the code of the Library into a program that is not a library.4. You may copy and distribute the Library (or a portion or derivative of it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange.If distribution of object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place satisfies the requirement to distribute the source code, even though third parties are not compelled to copy the source along with the object code.5. A program that contains no derivative of any portion of the Library, but is designed to work with the Library by being compiled or linked with it, is called a "work that uses the Library". Such a work, in isolation, is not a derivative work of the Library, and therefore falls outside the scope of this License.However, linking a "work that uses the Library" with the Library creates an executable that is a derivative of the Library (because it contains portions of the Library), rather than a "work that uses the library". The executable is therefore covered by this License. Section 6 states terms for distribution of such executables.When a "work that uses the Library" uses material from a header file that is part of the Library, the object code for the work may be a derivative work of the Library even though the source code is not. Whether this is true is especially significant if the work can be linked without the Library, or if the work is itself a library. The threshold for this to be true is not precisely defined by law.If such an object file uses only numerical parameters, data structure layouts and accessors, and small macros and small inline functions (ten lines or less in length), then the use of the object file is unrestricted, regardless of whether it is legally a derivative work. (Executables containing this object code plus portions of the Library will still fall under Section 6.)Otherwise, if the work is a derivative of the Library, you may distribute the object code for the work under the terms of Section 6. Any executables containing that work also fall under Section 6, whether or not they are linked directly with the Library itself.6. As an exception to the Sections above, you may also combine or link a "work that uses the Library" with the Library to produce a work containing portions of the Library, and distribute that workunder terms of your choice, provided that the terms permit modification of the work for the customer's own use and reverse engineering for debugging such modifications.You must give prominent notice with each copy of the work that the Library is used in it and that the Library and its use are covered by this License. You must supply a copy of this License. If the work during execution displays copyright notices, you must include the copyright notice for the Library among them, as well as a reference directing the user to the copy of this License. Also, you must do one of these things:a) Accompany the work with the complete corresponding machine-readable source code for the Library including whatever changes were used in the work (which must be distributed under Sections 1 and 2 above); and, if the work is an executable linked with the Library, with the complete machine-readable "work that uses the Library", as object code and/or source code, so that the user can modify the Library and then relink to produce a modified executable containing the modified


Library. (It is understood that the user who changes the contents of definitions files in the Library will not necessarily be able to recompile the application to use the modified definitions.)b) Use a suitable shared library mechanism for linking with the Library. A suitable mechanism is one that (1) uses at run time a copy of the library already present on the user's computer system, rather than copying library functions into the executable, and (2) will operate properly with a modified version of the library, if the user installs one, as long as the modified version is interface-compatible with the version that the work was made with. c) Accompany the work with a written offer, valid for at least three years, to give the same user the materials specified in Subsection 6a, above, for a charge no more than the cost of performing this distribution. d) If distribution of the work is made by offering access to copy from a designated place, offer equivalent access to copy the above specified materials from the same place.e) Verify that the user has already received a copy of these materials or that you have already sent this user a copy.For an executable, the required form of the "work that uses the Library" must include any data and utility programs needed for reproducing the executable from it. However, as a special exception, the materials to be distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable.It may happen that this requirement contradicts the license restrictions of other proprietary libraries that do not normally accompany the operating system. Such a contradiction means you cannot use both them and the Library together in an executable that you distribute.7. You may place library facilities that are a work based on the Library side-by-side in a single library together with other library facilities not covered by this License, and distribute such a combined library, provided that the separate distribution of the work based on the Library and of the other library facilities is otherwise permitted, and provided that you do these two things:a) Accompany the combined library with a copy of the same work based on the Library, uncombined with any other library facilities. This must be distributed under the terms of the Sections above.b) Give prominent notice with the combined library of the fact that part of it is a work based on the Library, and explaining where to find the accompanying uncombined form of the same work.8. You may not copy, modify, sublicense, link with, or distribute the Library except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense, link with, or distribute the Library is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance.9. You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Library or its derivative works. These actions are prohibited by law if you do not accept this License. Therefore, by modifying or distributing the Library (or any work based on the Library), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Library or works based on it.10. Each time you redistribute the Library (or any work based on the Library), the recipient automatically receives a license from the original licensor to copy, distribute, link with or modify the Library subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties with this License.11. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Library at all. For example, if a patent license would not permit royalty-free redistribution of the Library by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Library.If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply, and the section as a whole is intended to apply in other circumstances.It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of the free software distribution system which is implemented by public license practices. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system; it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice.This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License.12. If the distribution and/or use of the Library is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Library under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded. In such case, this License incorporates the limitation as if written in the body of this License.13. The Free Software Foundation may publish revised and/or new versions of the Lesser General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. Each version is given a distinguishing version number. If the Library specifies a version number of this License which applies to it and "any later version", you have the option of following the terms and conditions either of that version


or of any later version published by the Free Software Foundation. If the Library does not specify a license version number, you may choose any version ever published by the Free Software Foundation.14. If you wish to incorporate parts of the Library into other free programs whose distribution conditions are incompatible with these, write to the author to ask for permission. For software which is copyrighted by the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally. NO WARRANTY15. BECAUSE THE LIBRARY IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE LIBRARY, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OROTHER PARTIES PROVIDE THE LIBRARY "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE LIBRARY IS WITH YOU. SHOULD THE LIBRARY PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.16. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFYAND/OR REDISTRIBUTE THE LIBRARY AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE LIBRARY (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE LIBRARY TO OPERATE WITH ANY OTHER SOFTWARE), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. END OF TERMS AND CONDITIONSHow to Apply These Terms to Your New LibrariesIf you develop a new library, and you want it to be of the greatest possible use to the public, we recommend making it free software that everyone can redistribute and change. You can do so by permitting redistribution under these terms (or, alternatively, under the terms of the ordinary General Public License). To apply these terms, attach the following notices to the library. It is safest to attach them to the start of each source file to most effectively convey the exclusion of warranty; and each file should have at least the "copyright" line and a pointer to where the full notice is found.<one line to give the library's name and a brief idea of what it does.>Copyright (C) <year> <name of author>This library is free software; you can redistribute it and/or modify it under the terms of the GNU Lesser General Public License as published by the Free Software Foundation; either version 2.1 of the License, or (at your option) any later version.This library is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details.You should have received a copy of the GNU Lesser General Public License along with this library; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USAAlso add information on how to contact you by electronic and paper mail. You should also get your employer (if you work as a programmer) or your school, if any, to sign a "copyright disclaimer" for the library, if necessary. Here is a sample; alter the names:Yoyodyne, Inc., hereby disclaims all copyright interest in the library `Frob' (a library for tweaking knobs) written by James Random Hacker.<signature of Ty Coon>, 1 April 1990Ty Coon, President of ViceThat's all there is to it!

OpenSSL ToolkitThis software includes the OpenSSL toolkit.LICENSE ISSUES==============The OpenSSL toolkit stays under a dual license, i.e. both the conditions of the OpenSSL License and the original SSLeay license apply to the toolkit. See below for the actual license texts. Actually both licenses are BSD-style Open Source licenses. In case of any license issues related to OpenSSL please contact [email protected] License---------------Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved.Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.


Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.All advertising materials mentioning features or use of this software must display the following acknowledgment:“This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit.(http://www.openssl.org/)”The names “OpenSSL Toolkit” and “OpenSSL Project” must not be used to endorse or promote products derived from this software without prior written permission. For written permission, please contact [email protected] derived from this software may not be called “OpenSSL” nor may “OpenSSL” appear in their names without prior written permission of the OpenSSL Project.Redistributions of any form whatsoever must retain the following acknowledgment: ‘This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/)”THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT “AS IS” AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.This product includes cryptographic software written by Eric Young, ([email protected]). This product includes software written by Tim Hudson ([email protected]).Original SSLeay License-----------------------Copyright (C) 1995-1998 Eric Young ([email protected]). All rights reserved.This package is an SSL implementation written by Eric Young ([email protected]). The implementation was written so as to conform with Netscape’s SSL. This library is free for commercial and non-commercial use as long as the following conditions are aheared to. The following conditions apply to all code found in this distribution, be it the RC4, RSA, lhash, DES, etc., code; not just the SSL code. The SSL documentation included with this distribution is covered by the same copyright terms except that the holder is Tim Hudson ([email protected]). Copyright remains Eric Young's, and as such any Copyright notices in the code are not to be removed. If this package is used in a product, Eric Young should be given attribution as the author of the parts of the library used. This can be in the form of a textual message at program startup or in documentation (online or textual) provided with the package.Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:Redistributions of source code must retain the copyright notice, this list of conditions and the following disclaimer.Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.All advertising materials mentioning features or use of this software must display the following acknowledgement: “This product includes cryptographic software written by Eric Young ([email protected])” The word ‘cryptographic’ can be left out if the rouines from the library being used are not cryptographic related:-).If you include any Windows specific code (or a derivative thereof) from the apps directory (application code) you must include an acknowledgement: ‘This product includes software written by Tim Hudson ([email protected])”THIS SOFTWARE IS PROVIDED BY ERIC YOUNG “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.The licence and distribution terms for any publically available version or derivative of this code cannot be changed. i.e. this code cannot simply be copied and put under another distribution licence [including the GNU Public Licence.]

OpenLDAPThis software includes the OpenLDAP client developed by The OpenLDAPFoundation. Original version of the OpenLDAP client can be downloaded from http://www.openldap.org This software includes the OpenLDAP server. The OpenLDAP Public License Version 2.7, 7 September 2001Redistribution and use of this software and associated documentation ("Software"), with or without modification, are permitted provided that the following conditions are met:1. Redistributions of source code must retain copyright statements and notices,


2. Redistributions in binary form must reproduce applicable copyright statements and notices, this list of conditions, and the following disclaimer in the documentation and/or other materials provided with the distribution, and3. Redistributions must contain a verbatim copy of this document.The OpenLDAP Foundation may revise this license from time to time. Each revision is distinguished by a version number. You may use the Software under terms of this license revision or under the terms of any subsequent revision of the license.THIS SOFTWARE IS PROVIDED BY THE OPENLDAP FOUNDATION AND CONTRIBUTORS “AS IS” AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OPENLDAP FOUNDATION OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.OpenLDAP is a trademark of the OpenLDAP Foundation.Copyright 1999-2001 The OpenLDAP Foundation, Redwood City, California, USA. All Rights Reserved. Permission to copy and distributed verbatim copies of this document is granted.

libradius1This software includes the libradius1 package.Copyright (C) 1995,1996,1997,1998 Lars Fenneberg <[email protected]>Permission to use, copy, modify, and distribute this software for any purpose and without fee is hereby granted, provided that this copy ight and permission notice appear on all copies and supporting documentation, the name of Lars Fenneberg not be used in advertising or publicity pertaining to distribution of the program without specific prior permission, and notice be given in supporting documentation that copying and distribution is by permission of Lars Fenneberg.Lars Fenneberg makes no representations about the suitability of this software for any purpose. It is provided "as is" without express or implied warranty.------------------------------------------------------------------------------Copyright 1992 Livingston Enterprises, Inc.Livingston Enterprises, Inc. 6920 Koll Center Parkway Pleasanton, CA 94566Permission to use, copy, modify, and distribute this software for any purpose and without fee is hereby granted, provided that this copyright and permission notice appear on all copies and supporting documentation, the name of Livingston Enterprises, Inc. not be used in advertising or publicity pertaining to distribution of the program without specific prior permission, and notice be given in supporting documentation that copying and distribution is by permission of Livingston Enterprises, Inc.Livingston Enterprises, Inc. makes no representations about the suitability of this software for any purpose. It is provided "as is" without express or implied warranty.------------------------------------------------------------------------------[C] The Regents of the University of Michigan and Merit Network, Inc. 1992, 1993, 1994, 1995 All Rights Reserved.Permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice and this permission notice appear in all copies of the software and derivative works or modified versions thereof, and that both the copyright notice and this permission and disclaimer notice appear in supporting documentation.THIS SOFTWARE IS PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE REGENTS OF THE UNIVERSITY OF MICHIGAN AND MERIT NETWORK, INC. DO NOT WARRANT THAT THE FUNCTIONS CONTAINED IN THE SOFTWARE WILL MEET LICENSEE'S REQUIREMENTS OR THAT OPERATION WILL BE UNINTERRUPTED OR ERROR FREE. The Regents of the University of Michigan and Merit Network, Inc. shall not be liable for any special, indirect, incidental or consequential damages with respect to any claim by Licensee or any third party arising from use of the software.------------------------------------------------------------------------------Copyright (C) 1991-2, RSA Data Security, Inc. Created 1991. All rights reserved.License to copy and use this software is granted provided that it is identified as the “RSA Data Security, Inc. MD5 Message-Digest Algorithm” in all material mentioning or referencing this software or this function.License is also granted to make and use derivative works provided that such works are identified as “derived from the RSA Data Security, Inc. MD5 Message-Digest Algorithm” in all material mentioning or referencing the derived work. RSA Data Security, Inc. makes no representations concerning either the merchantability of this software or the suitability of this software for any particular purpose. It is provided “as is” without express or implied warranty of any kind.These notices must be retained in any copies of any part of this documentation and/or software.


TACACS+ ClientThis software contains TACACS+ client.Copyright (c) 1995-1998 by Cisco systems, Inc.Permission to use, copy, modify, and distribute this software for any purpose and without fee is hereby granted, provided that this copyright and permission notice appear on all copies of the software and supporting documentation, the name of Cisco Systems, Inc. not be used in advertising or publicity pertaining to distribution of the program without specific prior permission, and notice be given in supporting documentation that modification, copying and distribution is by permission of Cisco Systems, Inc.Cisco Systems, Inc. makes no representations about the suitability of this software for any purpose. THIS SOFTWARE IS PROVIDED “AS IS” AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.MD5C.C - RSA Data Security, Inc., MD5 message-digest algorithmCopyright (C) 1991-2, RSA Data Security, Inc. Created 1991. All rights reserved.License to copy and use this software is granted provided that it is identified as the “RSA Data Security, Inc. MD5 Message-Digest Algorithm” in all material mentioning or referencing this software or this function.License is also granted to make and use derivative works provided that such works are identified as “derived from the RSA Data Security, Inc. MD5 Message-Digest Algorithm” in all material mentioning or referencing the derived work.RSA Data Security, Inc. makes no representations concerning either the merchantability of this software or the suitability of this software for any particular purpose. It is provided “as is” without express or implied warranty of any kind.These notices must be retained in any copies of any part of this documentation and/or software.

libwwwThis software contains libwww software.Copyright © 1995-1998 World Wide Web Consortium, (Massachusetts Institute of Technology, Institut National de Recherche en Informatique et en Automatique, Keio University). All Rights Reserved.This program is distributed under the W3C's Intellectual Property License. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See W3C License http://www.w3.org/Consortium/Legal/ for more details.------------------------------------------------------------------------------Copyright © 1995 CERN. "This product includes computer software created and made available by CERN. This acknowledgment shall be mentioned in full in any product which includes the CERN computer software included herein or parts thereof."

W3C® SOFTWARE NOTICE AND LICENSEhttp://www.w3.org/Consortium/Legal/2002/copyright-software-20021231This work (and included software, documentation such as READMEs, or other related items) is being provided by the copyright holders under the following license. By obtaining, using and/or copying this work, you (the licensee) agree that you have read, understood, and will comply with the following terms and conditions.Permission to copy, modify, and distribute this software and its documentation, with or without modification, for any purpose and without fee or royalty is hereby granted, provided that you include the following on ALL copies of the software and documentation or portions thereof, including modifications: 1. The full text of this NOTICE in a location viewable to users of the redistributed or derivative work. 2. Any pre-existing intellectual property disclaimers, notices, or terms and conditions. If none exist, the W3C Software Short Notice should be included (hypertext is preferred, text is permitted) within the body of any redistributed or derivative code. 3. Notice of any changes or modifications to the files, including the date changes were made. (We recommend you provide URIs to the location from which the code is derived.)THIS SOFTWARE AND DOCUMENTATION IS PROVIDED "AS IS," AND COPYRIGHT HOLDERS MAKE NO REPRESENTATIONS OR WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO, WARRANTIES OF MERCHANTABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE OR THAT THE USE OF THE SOFTWARE OR DOCUMENTATION WILL NOT INFRINGE ANY THIRD PARTY PATENTS, COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS.COPYRIGHT HOLDERS WILL NOT BE LIABLE FOR ANY DIRECT, INDIRECT, SPECIAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF ANY USE OF THE SOFTWARE OR DOCUMENTATION.The name and trademarks of copyright holders may NOT be used in advertising or publicity pertaining to the software without specific, written prior permission. Title to copyright in this software and any associated documentation will at all times remain with copyright holders.____________________________________This formulation of W3C's notice and license became active on December 31 2002. This version removes the copyright ownership notice such that this license can be used with materials other than those owned by the W3C, reflects that ERCIM is now a host of the W3C, includes references to this specific dated version of the license, and removes the ambiguous


grant of "use". Otherwise, this version is the same as the previous version and is written so as to preserve the Free Software Foundation's assessment of GPL compatibility and OSI's certification under the Open Source Definition. Please see our Copyright FAQ for common questions about using materials from our site, including specific terms and conditions for packages like libwww, Amaya, and Jigsaw. Other questions about this notice can be directed to [email protected] Reagle <[email protected]>Last revised by Reagle $Date: 2003/01/16 15:01:10 $Last revised by Reagle $Date: 2003/01/16 15:01:10 $

XML-RPC C Library LicenseThis software contains software covered by the XML-RPC C Library License.Copyright (C) 2001 by First Peer, Inc. All rights reserved.Copyright (C) 2001 by Eric Kidd. All rights reserved.Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.3. The name of the author may not be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS `ÀS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Expat LicenseThis software contains software covered by the Expat License.Copyright (c) 1998, 1999, 2000 Thai Open Source Software Center LtdPermission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

ABYSS Web Server LicenseThis software contains software covered by the ABYSS Web Server LicenseCopyright (C) 2000 by Moez Mahfoudh <[email protected]>. All rights reserved.Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.3. The name of the author may not be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS `ÀS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING


NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Python 1.5.2 LicenseThis software contains software covered by the Python 1.5.2 License.Copyright 1991, 1992, 1993, 1994 by Stichting Mathematisch Centrum, Amsterdam, The Netherlands.All Rights ReservedPermission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation, and that the names of Stichting Mathematisch Centrum or CWI or Corporation for National Research Initiatives or CNRI not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission.While CWI is the initial source for this software, a modified version is made available by the Corporation for National Research Initiatives (CNRI) at the Internet address ftp://ftp.python.org.STICHTING MATHEMATISCH CENTRUM AND CNRI DISCLAIM ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO EVENT SHALL STICHTING MATHEMATISCH CENTRUM OR CNRI BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

The Apache Software License, Version 1.1This product includes software developed by the Apache Software Foundation (http://www.apache.org/)."Copyright (C) 1999 The Apache Software Foundation. All rights reserved.Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.3. The end-user documentation included with the redistribution, if any, must include the following acknowledgment: "This product includes software developed by the Apache Software Foundation (http://www.apache.org/)." Alternately, this acknowledgment may appear in the software itself, if and wherever such third-party acknowledgments normally appear.4. The names "log4j" and "Apache Software Foundation" must not be used to endorse or promote products derived from this software without prior written permission. For written permission, please contact [email protected]. Products derived from this software may not be called “Apache”, nor may “Apache” appear in their name, without prior written permission of the Apache Software Foundation.THIS SOFTWARE IS PROVIDED `ÀS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.This software consists of voluntary contributions made by many individuals on behalf of the Apache Software Foundation. For more information on the Apache Software Foundation, please see <http://www.apache.org/>.

Bouncy Castle notice and license.Copyright (c) 2000 The Legion Of The Bouncy Castle (http://www.bouncycastle.org) Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the “Software”), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.


Package: discover-dataDebian package author: Branden RobinsonThe contents of this package that are not in the debian/ subdirectory are simple compilations of data and are therefore not copyrightable in the United States (c.f. _Feist Publications, Inc., v. Rural Telephone Service Company, Inc., 499 U.S. 340 (1991)_)._Feist_ holds that: Article I, s 8, cl. 8, of the Constitution mandates originality as a prerequisite for copyright protection. The constitutional requirement necessitates independent creation plus a modicum of creativity. Since facts do not owe their origin to an act of authorship, they are not original and, thus, are not copyrightable. Although a compilation of facts may possess the requisite originality because the author typically chooses which facts to include, in what order to place them, and how to arrange the data so that readers may use them effectively, copyright protection extends only to those components of the work that are original to the author, not to the facts themselves. This fact/expression dichotomy severely limits the scope of protection in fact-based works. Therefore, the hardware information lists that comprise the "meat" of this package enjoy no copyright protection and are thus in the public domain. Note, however, that a number of trademarks may be referenced in the hardware lists (names of vendors and products). Their usage does not imply a challenge to any such status, and all trademarks, service marks, etc. are the property of their respective owners.The remainder of this package is copyrighted and licensed as follows: Package infrastructure: Copyright 2001,2002 Progeny Linux Systems, Inc. Copyright 2002 Hewlett-Packard Company Written by Branden Robinson for Progeny Linux Systems, Inc.lst2xml conversion script: Copyright 2002 Progeny Linux Systems, Inc. Copyright 2002 Hewlett-Packard Company Written by Eric Gillespie, John R. Daily, and Josh Bressers for Progeny Linux Systems, Inc.Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.Copyright (c) 1999, 2004 Tanuki SoftwarePermission is hereby granted, free of charge, to any person obtaining a copy of the Java Service Wrapper and associated documentation files (the "Software"), to deal in the Softwarewithout restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sub-license, and/or sell copies of the Software, and to permit persons towhom the Software is furnished to do so, subject to the following conditions:The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.Portions of the Software have been derived from source code developed by Silver Egg Technology under the following license:Copyright (c) 2001 Silver Egg TechnologyPermission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sub-license, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.



Index

A

activating initial configuration, 104administration client, see management cli-

entAdvanced Configuration and Power Interface

(ACPI), 98analyzer engine, 98–109analyzers

defining, 55installing, 98–109NDI, 57network interfaces, 56remote upgrade, 128uninstalling, 137

Automatic Power Management (APM), 98

B

BIOS settings, 98booting from CD-ROM, 98

C

certificate authority fingerprint, 34, 39changing IP address, 134checking file integrity, 16–17, 121checksums, 16–17command line installation

see non-graphical installationcommand line tools, 141commands

engine, 150log server, 142management server, 142

compatibilitynetwork devices, 18platforms supported, 16

configuringanalyzer engine, 99–106sensor engine, 99–106

contact addressfor engines, 85for server components, 89

contact information, 12creating

web start files manually, 49–50customer support, 12

D

database user account, 28date and time settings, 16defining

analyzers, 55combined sensor-analyzer, 70inline interfaces, 77routing, 79sensor clusters, 60

181181

single sensors, 65deployment example, 159Distributing, 48documentation available, 11dynamic updates, 39–43

activating, 42downloading, 40importing, 41

E

end-user license agreement, 165example network scenario, 15, 159

F

file integritychecking, 16–17, 121

fingerprint of certificates, 34, 39, 147

G

generatinglicenses, 122–123

GUI client, see management client

H

hardware requirements, 12host files, 16

I

importing initial configuration, 101initial configuration

saving, 91initial configuration, activating, 104inline interfaces

defining, 77installing, 98–109

clients using web start, 48–50

engine in expert mode, 106installation files, 16installation procedure, 15licenses, 34, 125–126log server, 29management center, 23–44management client, 31management clients, 47–51management server, 28–29monitoring server, 31policies, 111–115sensor engine, 98–109

integrity of files, 16–17interface ID numbering, 55IP-address-bound licenses, 17, 122IPS

engines, uninstalling, 137

J

java web start, 47–51

L

legal information, 165license files, 17–18licenses, 17–18

generating, 122–123installing, 34, 125–126IP-address-bound, 17, 122management bound, 17, 123retained type, 125upgrading, 18, 122–125

linux as management center platform, 24locations, 84–85log server, 29–31, 37, 134

M

management bound licenses, 17, 123management center

components, 14

182 Index

installing, 23–44uninstalling, 136–137upgrading, 126–128

management clientconfiguration files, 136installing, 31starting, 33web start, 50

management clientsinstalling, 47–51

management serverinstalling, 28–29starting, 33

management server database user account, 28

MD5 checksum, 16–17, 121mirroring ports, 18monitoring server, 31

N

NAT (network address translation, 84NDI

for analyzer, 57for sensor cluster, 64for sensor-analyzer, 72

network interfacesfor analyzer, 56for sensor cluster, 61for sensor-analyzer, 71for single sensor, 66

node dedicated interface, see NDInon-graphical installation, 43–45

O

one-time passwordcreating, 91using, 105

overview to the installation, 15

P

partitioning hard disk manually, 106platforms supported, 16policies

installing, 111–115system policies, 112

ports, 18

R

requirements for hardware, 12retained licenses, 125routing defining, 79

S

sensor (single)defining, 65network interfaces, 66VLAN tagging, 66

sensor clustersdefining, 60NDI, 64network interfaces, 61VLAN tagging, 61

sensor-analyzer (combined)defining, 70NDI, 72network interfaces, 71VLAN tagging, 71

sensorsinstalling, 98–109remote upgrade, 128uninstalling, 137

serverslog server, 29–31management server, 28–29monitoring server, 31

sgadmin user account, 24SHA-1 checksum, 16–17, 121single firewall

defining VLAN ID, 63, 68, 72

183 183

sniffing network traffic, 103SPAN port, 18starting

log server, 37management client, 33management server, 33

stonegate architecture, 14support services, 12supported platforms, 16system architecture, 14system policies, 112system requirements, 12

T

TAP, 19technical support, 12typographical conventions, 10

U

uninstallingengines, 137management center, 136–137

updating, 119–134upgrading, 119–134

engine locally, 131engine, remotely, 128engines remotely, 128licenses, 122–125management center, 126–128

V

VLAN IDdefining on single firewall, 63, 68, 72

VLAN taggingsensor cluster, 61sensor-analyzer, 71single sensor, 66

W

web start, 47–51web start server

enabling, 48–49wire TAP, 19

184 Index

Available StoneGate Guides:

Administrator Documentation• Administrator’s Guide• Installation Guides• Reference Guides• IPsec VPN Client Administrator’s Guide

End-User Documentation• Monitoring Client User’s Guide• IPsec VPN Client User’s Guide

For PDF versions of the guides and the StoneGate technical knowledge base, visitwww.stonesoft.com/support

Stonesoft CorporationItälahdenkatu 22 AFI-00210 HelsinkiFinlandTel. +358 9 476 711Fax +358 9 4767 1234

Stonesoft Inc.1050 Crown Pointe ParkwaySuite 900Atlanta, GA 30338USATel. +1 770 668 1125Fax +1 770 668 1131

Copyright 2008 Stonesoft Corporation. All rights reserved. All specifications are subject to change.


Documents

StoneGate IPS Installation Guide 4.3