SunScreen 3.1 Reference Manual

Chapter 5 Administration Graphical User Interface

This chapter describes the administration graphical user interface (GUI) for configuring and administering SunScreen. It contains information on the following topics:

Starting the administration GUI
Elements and navigation of the administration GUI
Function and controls of each page in the administration GUI

Connecting to the Administration GUI

Connect to the administration GUI by starting a browser that can run Java applets, such as HotJava, Netscape Navigator, or Microsoft Internet Explorer.

The SunScreen administration GUI uses Java applets to administer and monitor Screens.

Note -

If your network uses proxies (gateways) for Internet access through a network firewall, you may need to configure your browser to ignore proxies when you are connecting to a Screen. For example, if you type localhost in the Don't Proxy field, your browser will connect to localhost directly. For information on configuring proxies, refer to the documentation for your browser.

Browser Title Bar

FIGURE 5-1 shows the Login page for SunScreen. The title bar of the browser shows the application to which the browser is connecting.

Figure 5-1 SunScreen Login Page

Navigation Buttons on the Navigation Browser Bar

You can use the navigation buttons shown in the navigation bar of the browser to move from the current page of the administration GUI to a previous page, from the current page to a next page as available, or to refresh the current page. Each browser behaves somewhat differently when you use these buttons. You will have more consistent success if you use the navigation buttons provided in the administration GUI. See "Administration GUI Navigation Bar and Buttons".

If you have changed any of the information and have not saved your changes, you will receive a warning message that you have unsaved changes. If you ignore the warning and move to a different page without returning and saving the changes, any changes that you have not saved will be lost.

Universal Resource Locator (URL)

Use one of the following URLs to connect to the administration GUI to administer a Screen or set of Screens remotely:

Remote administration - Type http://screenname:3852 as the URL, where screenname is the name of the Screen that you want to administer.

Use one of the following URLs to connect to the administration GUI to administer a Screen locally:

Local administration - Type http://localhost:3852 as the URL for the browser.

This is the only time that you need to enter a URL in the Location field of the browser.

The Administration GUI

The administration GUI for SunScreen is organized as a set of pages. Each page contains one or more controls. For example, most pages include buttons and text fields, which you update using your keyboard and mouse.

Logging in as a user with the administrative access level ALL, READ, or WRITE puts you into a session. You cannot log out of a session if you have made changes, until you have either saved or cancelled any changes to the last saved version.

Caution -

Do not change the administration address (le0, qe0, hme0, and the like), the administration certificate, the local certificate, or the administration-group certificate. If you change these items, you risk losing your connectivity from the Administration Station to the Screen. Reestablishing your connectivity is difficult and requires that you log into the Screen directly or use an Administration Station that is still working. It also requires exchanging encryption information

Login Page

The Login page for SunScreen appears when the browser connects to the designated Screen. FIGURE 4-3 shows the Login page for SunScreen.

The controls on the Login page are explained in TABLE 5-1.

Table 5-1 Controls on the SunScreen Login Page


Controls	Description
User Name field	Type your user name. The default user name is admin.
Password field	Type the password associated with your user name. The default user password is admin. Change the password for the default login account as soon as possible to prevent unauthorized access to the Screen's policies. For a description on how to change passwords, see the SunScreen Administration Guide.
Locale choice list	Choose the locale for localized versions of SunScreen. The default is `en_US` [`English USA`]. This also means that the libraries used to generate messages are in US English.
Select Task choice list	Choose to start the session by viewing the SunScreen Information page or by managing policies by starting with the Policies List page. The selection View Information opens the SunScreen Information page, which contains the logs, status information, and statistical information. This is the default choice. The selection Manage Policies opens the Policies List page, on which you see the active policy and the policies that you have added. From this page, you add new policies, edit policies, and modify various databases.
Login button	Opens the page that you chose for the Select Task field after successful authentication.
Documentation button	Displays links to the online SunScreen documentation. Click one of the links to open the appropriate documentation. You do not have to log in to look at the online documentation.

Changing the Password

During installation, a default administration user account called admin with the password admin was created. Change this password as soon as possible to assure the security of the Screen.

Caution -

Online Documentation

You can look at the online documentation by clicking the Documentation button on the login page, as shown in FIGURE 4-3 or by clicking the Documentation button on the administration GUI navigation bar, shown in FIGURE 4-3.

SunScreen Information Page

The SunScreen Information page is the default selection in the Select Task field of the Login page. On this page you can move to the Policies List page, choose the Screen about which you want information, view the logged information about a Screen's performance, check the status of a Screen, and view the SKIP statistics, view the online documentation, and logout.

Administration GUI Navigation Bar and Buttons

The administration GUI navigation bar and navigation buttons, shown in FIGURE 5-2, appear at the top of administration GUI pages. You should use these button for moving among the pages of the administration GUI.

Figure 5-2 Administration GUI Navigation Buttons

If these buttons are missing from a page of the administration GUI, it means that you have unsaved changes from your editing session. Once you have saved your changes the buttons reappear.

TABLE 5-2 describes the administration GUI navigation buttons.

Table 5-2 Administration GUI Navigation Buttons


Control	Description
Logout	Logs out of the administration session, which clears any lock you may be holding.
Policies	Displays the Policies List page, where you add new policies. You can edit the policies for SunScreen on the Policy Rules page.
Information	Displays the Information page, where you can view the logs, product information, status of SunScreen, and the SKIP statistics.
Documentation	Displays the Documentation page, which contains links to the online SunScreen documentation.

The Name of the Screen

You choose the name of the Screen about which you want to view the information from a choice list. The names of the screens from among which you can choose are those that are in the centralized management group or HA cluster.

The Log Browser Tabs on the Information Page

Clicking one of these tabs displays the status, logs, and the traffic and SKIP statistics.

Status Tab

The Status tab is displayed by default. The Status tab displays the information shown in FIGURE 5-3. This information is derived from the system and the configuration of the firewall when you installed the SunScreen or modified the configuration. You cannot edit any of the fields on this page.

Figure 5-3 SunScreen Information Page--Status Tab

TABLE 5-3 describes the information presented on this page.

Table 5-3 Status Information


Title	Description
Product	The name of the software product.
System Boot Time	Date and time when the system was last restarted.
SunScreen Boot Time	Date and time when the system was last restarted.
Version	The release of the software that is running.
HA Configured	Whether high availability (HA) is configured (YES or NO).
HA Daemon	Whether the high availability daemon is running (OFF or ON). If the HA daemon is running, the members of the HA cluster appear in the area below along with the state of each member of the HA cluster (Active or Passive).
HA Primary Host	The name or IP address of the primary host of the high availability cluster.
Host Names	Lists the hosts configured for HA. This information appears in the area set off from the rest of the information and is updated by default every 30 seconds. You can change the update interval by changing the poll interval in the Logs tab.
Status	Shows the status of the primary and secondary HA hosts. The status is ACTIVE, PASSIVE, and NONRESPONSIVE. This information appears in the area set off from the rest of the information and is updated by default every 30 seconds. You can change the update interval by changing the poll interval in the Logs tab.
Help button	Displays the online help for this page.

Logs Tab

The logs tab displays the Log Browser panel, as shown in FIGURE 5-4.

Figure 5-4 SunScreen Information Page--Logs Tab

TABLE 5-4 describes the column headings for the log panel of the SunScreen Information page.

Table 5-4 Column Headings on the Log Panel of the SunScreen Information Page


Field	Description
Time	Indicates the time that the packet or event represented by this record was logged by the Screen. Use this time field to retrieve records in Historical mode as set in the Log Browser Tab Retrieval Setting.
Level	Indicates the type and severity level of the logged event.
Service	Indicates the network service or protocol, such as TCP, IP, NFS, Telnet, or HTTP, over which this packet was sent or to which the event is related.
Address(es)	Shows the address from which and to which a packet was sent. Arrows indicate direction. Some events that, by themselves, are not related to IP traffic will not have an address or addresses, as shown in the example.
Reason/Detail	Shows the reason a packet or event was logged or the detail regarding the logging. This information depends on the requirements of the rules within a policy.

The logs tab also displays the Retrieval Setting tab and Information tab for the logs.

Logged packets are configured in the packet filtering rules so that a packet or an event is displayed which meets the requirements of a rule in a policy. The log has two retrieval modes: Historical and Real Time.

The Historical mode allows you to examine a particular segment for a particular time.
The Real Time mode displays information as the packets pass through the Screen while you are looking at the log.

For more information setting the values for the log browser, see the section on the "Retrieval Setting Tab" below.

Retrieval Setting Tab

FIGURE 5-5 shows the Retrieval Setting tab for the SunScreen Information page and the log browser in particular. The Filter Keywords, Add to Current Filter, and Current Filter controls are discussed in greater detail in the following section, "Setting a Log Viewing Filter."

Figure 5-5 Retrieval Setting Tab

TABLE 5-5 describes the controls on the Retrieval Setting tab.

Table 5-5 Controls on the Retrieval Setting Tab


Control	Description
Retrieval Mode radio buttons	Specifies the time frame for which you want log messages: Historical allows you to examine a particular segment for particular time and shows the segment of that log the most closely matches the time that you see as the first item in the list of logged packets. You must use four digits in specifying the year, for example, 2000. Real Time specifies that the system displays the most recently logged records. You can specify how often the Log Browser page updates the log display in the Real Time Poll Interval field. If you set the log to Real Time Poll Interval, click the apply button. Depending upon your configured settings, records are logged faster than the Log Browser polls for new records. Thus, the display falls more and more behind as time goes on. If you want to see the most recently logged records. Click the Apply button to force a retrieval. The Poll Interval field also sets the times when the information in the Statistics tab is updated.
Fetch More Records button	Retrieves more log records in the historical mode only. If you check Historical Reference Time and click the Apply button after specifying a date and time for retrieving records, the display will retrieve log records using the date and time that the log file was last cleared. Using this button, you can display the next screen of later records.
Filter Keywords field	Provide the ability to create many simple filtering expressions from the choice lists available. These controls reduce typing effort as well as serving as reminders of filtering options. For more detail, see the following section, "To Set a Log Viewing Filter."
Add to Current Filter button	Causes these items chosen in the Filter Keywords fields to be added to the Filter Keywords text entry box at its current insertion pointer. For more detail, see the following section, "To Set a Log Viewing Filter." It adds all text that is currently selected in the four combo boxes.
Current Filter text box	Allows you to enter an expression of the log-browser filtering language. An arbitrary `logdump` expression can be entered there and activated using the Apply button. For more detail, see the following section, "To Set a Log Viewing Filter."

Setting a Log Viewing Filter

The Log Browser filters log events to be displayed. The language that it uses is identical to the filtering options of the logdump command in the command-line program; it is a superset of the language used by the Solaris snoop packet monitor tool.

You have full access to this language typing an arbitrary logdump expression in the Current Filter text entry box in its Retrieval Settings tab and clicking the Apply button to activate it.

In addition, the Filter Keywords controls provide the ability to create many simple filtering expressions. These controls reduce typing effort as well as serving as reminders of filtering options.

The Filter Keywords controls are used by selecting one or more operations from their choice lists or entering a target (operand) in the rightmost editable combo box. After this choosing or typing your entry, click the Add to Current Filter button to add these items to the Filter Keywords text entry box at its current insertion pointer.

The leftmost editable combo box contains the Boolean operators and, or, and not.

The left-center editable combo box provides filtering terms that are complete and restrict the type of log event displayed. TABLE 5-6 describes the terms in the left-center editable combo box.

Table 5-6 Filter Terms of the Left-Center Editable Combo Box


Term	Description
`loglvl pkt`	Allows displaying network packet-type events
`loglvl sess`	Allows displaying network session-type events
`loglvl auth`	Allows displaying events related to authentication operations
`loglvl app`	Allows displaying events related to screen application (usually proxy) operations
`logapp auth`	Allows displaying events from the authentication subsystem
`logapp edit`	Allows displaying events related to registry or policy editing
`logapp ftpp`	Allows displaying events from the FTP proxy
`logapp log`	Allows displaying events related to the logging facilities themselves
`logapp httpp`	Allows displaying events from the HTTP proxy
`logapp smtpp`	Allows displaying events from the SMTP proxy
`logapp telnetp`	Allows displaying events from the Telnet proxy
`logsev emerg`	Allows displaying events of an emergency severity
`logsev alert`	Allows displaying events of an alert severity or above
`logsev crit`	Allows displaying events of a critical severity or above
`logsev err`	Allows displaying events of an erroneous severity or above
`logsev warn`	Allows displaying events of a warning severity or above
`logsev note`	Allows displaying events of a notice severity or above
`logsev info`	Allows displaying events of an informative severity or above (all events that are not of debug severity)
`logsev debug`	Allows displaying events of a debug severity or above (all events)

The right-center editable combo box provides filtering terms most of which are incomplete and require an operand value, You type these in the rightmost editable combo box. They are added to the choice list of the rightmost editable combo box for reference so that you need not retype the value if you want to use it again. TABLE 5-7 describes the filter terms in the right-center editable combo box.

Table 5-7 Filter Terms in the Right-Center Editable Combo Box


Term	Description
`logwhy` `reason#`	Restricts display to packets that have the given logging reason why code (See Appendix D, Error Messages, TABLE 11-16
`logiface` iface	Restricts display to packets that arrived on the interface named `iface`
`host` `hostname`	Restricts display to events either from or to `hostname`
`dst` `hostname`	Restricts display to events destined for `hostname`
`src` `hostname`	Restricts display to events origination from `hostname`
`port` `hostname`	Restricts display to events related to the service `svcname`
`dstport` `hostname`	Restricts display to events targeted to the service `svcname`
`srcport` `svcname`	Restricts display to events originating from the service `svcname`
`net` `netaddr`	Restricts display to events either from or to the network whose number is `netaddr`
`gateway` `gwyaddr`	Restricts display to packets that used `gwyaddr` as a gateway
`udp`	Restricts display to events related to the UDP transport protocol
`tcp`	Restricts display to events related to the TCP transport protocol
`icmp`	Restricts display to packets of the ICMP control protocol
`rpc`	Restricts display to packets of the RPC protocol
`etheraddr` `etheraddr`	Restricts display to packets that have arrived from this Ethernet address

The terms in italics are variables for which you must supply a value or values in the when you choose this term from the choice list. The values for the variable are as follow:

reason # The reason number is shown in TABLE 11-16 in Appendix D, Error Messages.
hostname can be:
- An IP address (dotted-quad a.b.c.d) (for example, 129.9.9.99)
- An IP address range (a.b.c.d..e.f.g.h) (for example, 129.9.9.0..129.9.9.254)
- A hostname known to the screen's naming service (for example, the DNS name host.your-domain.com)
svcname can be:
- A numeric TCP or UDP port number (for example, 23 for Telnet)
- A numeric TCP or UDP port number range (for example, 6000. .6023 for X windows)
- A service name known to the screen's naming service (for example, domain found in /etc/services)
iface can be:
- The name of an interface (for example hme0)
netaddr can be:
- The IP network number (for example 199.12.200)
gwyaddr can be:
- The name of an Ethernet address (link-layer address gateway through which packets are flowing)
etheraddr can be:
- The 6-octet Ethernet address (for example 8:0:20:A0:EE:E4)

The Information Tab

The log-browser Information tab on the Screen Information page and shown in FIGURE 5-6, provides the statistics for the current log.

Figure 5-6 Information Tab

TABLE 5-8 describes the fields on the Information tab. You cannot edit the fields on this page.

Table 5-8 Fields on the Information Tab


Control	Description
Server Name field	Indicates the name of the Screen to which the Log Browser is connected.
Log current size field (bytes)	Indicates the current size of the log file in bytes on the server.
Log maximum size filed (bytes)	Indicates the maximum size of the log file in bytes on the server.
Last Cleared field	Indicates the date and time the log file was last cleared.
Cleared By field	Identifies the login name of the administrator who last cleared the log file.
Log loss count (records) field	Indicates the number of log records that have been thrown away since the last "clear" operation. Log records are lost if the log grows beyond its maximum size or if the file system on which the log is written fills before that maximum is reached. Packets that cannot be logged because the traffic load exceeds the logger's ability to store entries are not counted.

Statistics Tab

The Statistics tab, shown in FIGURE 5-7, provides information on traffic and key statistics. Traffic statistics include data such as input and output, passed or failed, logged, and bad packets for packets received over the active interfaces. The Statistics tab is updated according to the setting in the Real Time Poll Interval field on the Retrieval Setting tab of the Logs Tab.

Figure 5-7 SunScreen Information Page--Statistics Tab

The Traffic Statistics panel (top) displays traffic statistics for each interface on the Screen. TABLE 5-9 describes the fields on the Traffic Statistics panel of the Statistics tab. The values displayed in these fields cannot be modified.

Table 5-9 Controls on the Traffic Statistics Panel of the Statistics Page


Control	Description
Interface field	Name of the interface.
Address field	Address of the interface.
Inputs field	Total number of packets seen on that network interface. This number includes packets processed by the Screen and intranet traffic. Because this counter records more than just the number of packets through the interface, the number can be much higher than the sum of the numbers in the Passes and Drops fields, which record the number of packets passed and dropped.
Outputs field	Total number of packets passed from other interfaces on the Screen and sent out over this interface.
Passes field	Number of packets received from another interface, matched to an ALLOW rule exactly, and sent out over the designated interface.
Logs field	Number of packets that have been logged by the Screen according to the actions in the active configuration.
Alerts field	Number of SNMP alerts generated because of the traffic on this network interface.
Drops field	Number of packets that have been dropped, either as a result of exactly matching a DENY rule or as a result of not matching any rule and being dropped as the default action of the Screen's interface.
AllocFail field	Error counter for packets lost because of the lack of resources.
NoCanPuts field	Error counter for packets lost because of the lack of stream flow control.
BadPackets field	Error counter for packets lost because of errors.

The SKIP Statistics panel shows the SKIP statistics for the SunScreen. TABLE 5-10 describes the fields on the SKIP Statistics panel of the Statistics page. The values displayed in these fields cannot be modified.

Table 5-10 Controls on the SKIP Statistics Panel of the Statistics Tab


Control	Description
skip_hdr_bad_versions field	Total number of SKIP headers with invalid protocol versions.
skip_hdr_short_ekps field	Number of SKIP headers with short encrypted packet fields.
skip_hdr_short_mids field	Number of SKIP headers with short MID fields.
skip_hdr_bad_kp_algs field	Number of SKIP headers with unknown cryptographic algorithms.
V1 skip_hdr_encodes field	Number of SKIP V1 headers encoded.
V1 skip_hdr_decodes field	Number of SKIP V1 headers decoded.
V1 skip_hdr_runts field	Number of SKIP V1 headers with short packets.
V1 skip_hdr_short_nodeids field	Number of SKIP V1 headers with short node identifiers.
IPSP skip_ipsp_decodes field	Number of SKIP V2 headers decoded.
IPSP skip_ipsp_encodes field	Number of SKIP V2 headers encoded.
IPSP skip_hdr_bad_nsid field	Number of headers with a bad V2 name space identifier.
IPSP skip_hdr_bad_mac_algs field	Number of headers with unknown or bad authentication algorithms.
IPSP skip_hdr_bad_mac_size field	The number of headers with an authentication error in the MAC size.
IPSP skip_hdr_bad_mac_val field	The number of headers with an authentication error in the MAC value.
IPSP skip_hdr_bad_next field	Number of headers with a bad Next Protocol field.
IPSP skip_hdr_bad_esp_spi field	Number of headers with a bad V2 SPI field.
IPSP skip_hdr_bad_ah_spi field	Number of headers with a bad V2 AH SPI field.
IPSP skip_hdr_bad_iv field	Number of headers with a bad V2 initialization vector.
IPSP skip_hdr_bad_short_r_mkeyid field	Number of headers with a short V2 receiver key identifier.
IPSP skip_hdr_bad_short_s_mkeyid field	Number of headers with a short V2 sender key identifier.
IPSP skip_hdr_bad_bad_r_mkeyid field	Number of headers with a bad V2 receiver key identifier.
skip_key_max_idle field	Time, in seconds, until an unused key is reclaimed.
skip_key_max_bytes field	Maximum number of bytes to encrypt before discarding a key.
skip_encrypt_keys_active field	Number of encryption keys in the cache.
skip_decrypt_keys_active field	Number of decryption keys in the cache.
skip_key_lookups field	Total number of key cache lookups.
skip_keymgr_requests field	Total number of key cache misses (key not found).
skip_key-reclaims field	Total number of key entries reclaimed.
skip_hash_collisions field	Total number of table collisions.

The Action Buttons

FIGURE 5-8 shows the action buttons for the SunScreen Information Page. Use these buttons to control the various actions on the log.

Figure 5-8 Action Buttons on the SunScreen Information Page

TABLE 5-11 describes the action buttons on the SunScreen Information Page.

Table 5-11 Action Buttons on the SunScreen Information Page


Button	Description
Apply button	Applies any changes to the settings for the Log Browser page. You can click the Apply button to update the data displayed on the Log Browser page in the real time mode.
Cancel button	Undoes any changes that have not yet been applied.
Defaults button	Resets the Log Browser settings to their default values.
Save Log button	Saves the log file to a local file. If you are using Netscape Navigator or Internet Explorer, you must use the Java plug-in to save the log to a local file.
Clear Log button	Clears the log file, which clears the log record display area.
Save/Clear Log button	Saves and clears the log file. While the file is being saved, the Screen does not add records to the log. If you are using Netscape Navigator or Internet Explorer, you must use the Java plug-in to save the log to a local file.
Help button	Displays a browser window with the online help for the SunScreen Information Page. Two Help buttons appear on this page. They both display the same online help.

Help System

The Help button displays context-sensitive help for the page on which you are. It brings up a new browser window, which you can quit to return to your page or you can move it aside and keep it open for quick reference.

Policies List Page

You reach the Policies List page by choosing Manage Policies for the Select Task field on the Login Page before you click the login button or by clicking the Policies button on the administration GUI's navigation bar.

You can move to the SunScreen Information page, display the online documentation, or log out by clicking the appropriate button on the administration navigation bar

The Policies List page, shown in FIGURE 5-9, allows you to add a new policy or to edit, copy, rename, delete, and backup a particular policy to a local file; to restore a policy from a local file; and to initialize HA.

The Policies List page identifies the policies that have been stored for a Screen. The List Policies page has two instructions under the top or navigation bar: "To edit a policy select one from the table and click the `Edit' button," and "For other tasks select from the top panel buttons."

Figure 5-9 Policies List Page

Policies List Panel

Below the Policies List banner is a panel consisting of three columns that show:

The name - You must click a name of a policy that you want to edit in this column. The term "-Currently Active-" appears in this column for the active policy and the name and the version of the active policy appears in the version column.
The version (if present) - The version lists the versions of policies for your system.
The active policy information (if present).

The Policies List panel lists the policies that have been set up for a particular Screen. The active policy is the first policy in the list of policies and is automatically highlighted when you first come to this page. You can edit inactive Screen policies by clicking the name of an entry in the Policies List panel to highlight it, then click one of the controls at the bottom of the Policies List page.

Types of Policies

The types of policies are:

Regular Policies - Policies that share common objects with other regular policies.
Versioned Policies - A policy with a version number is displayed by clicking the button next to the regular policy name in the first column of Policies List Panel of the Policies List Page. Clicking the reverse arrow hides the versions of a policy. A policy with a version number contains a snapshot of the common objects that are embedded in the saved policy. The name of the policy contains a dot followed by an incremental number. The higher the number, the later the version. Versioned policies cannot be modified, but their rules can be extracted to a new policy.
Currently Active Policy - This policy is extracted from the active policy. The currently active policy cannot be modified. If you click the currently active policy and highlight it, the edit button retains the (RO) designation to show that it is read only. A Save As button appears on the Policy Name line on the Packet Filtering tab of the Policy Rules panel. You can save any modifications to the currently active policy as a new policy. A Save As button appears on the Common Objects panel. You can save the common objects of this policy to replace the current common objects associates with regular policies. FIGURE 5-10 shows these Save As buttons.

Figure 5-10 Policy Rules Page Showing the Save As Buttons for the Currently Active Policy

This allows you to make the common objects embedded in this version of the policy the current common objects, overwriting the existing set of common objects.

This approach allows you to save only the rules part of the versioned policy so that:

These rules become the current rules for this policy, for example the rules for policy Initial.10 can be made the rules for the current version of Initial.
You can copy the rule to a new name.

Note -
The rules created in this way are used with the current set of common objects. On verifying this policy, you may have to fix any inconsistencies.

The difference in behavior between Save As and Edit(RO) is that Save As affects the current policy only and Edit(RO) affects a policy version. With Edit(RO), you have the additional choice of making the rules the current rules for the policy.

Policies List Page Action Buttons

describes the action buttons for the Policies List page.

Table 5-12 Action Buttons on the Policies List Page


Control	Description
Add New button	Opens a dialog box that prompts you for the name of the policy that you want to add. The name for this new policy appears on the policies list panel. You add the rules for the new policy on the Policy Rules page.
Edit button	Opens the Policy Rules page for the policy that you have highlighted and allows you to change the parameters. If the Edit button displays (RO), it means that the policy that you highlighted is read-only. The read-only mode applies only to the active policy and the policy versions in the version column: You cannot modify an active policy. You must click the name (the first column of the policies list panel) to highlight the policy that you want to edit.
Copy button	Opens a dialog box that prompts you for the new name of the policy to which you want to copy the information from the policy that you highlighted on the Policies List panel.
Rename button	Opens a dialog box asking for the new name you want to assign to the selected policy on the Policies List panel.
Delete button	Opens a dialog box asking you to confirm you want to delete the selected policy on the Policies List panel.
Activate button	Activates the selected `policy` on the Policies List panel for the Screen. After you click the Activate button, the version and active policy information are updated in the highlighted row.
Backup All button	Opens the Backup All dialog box, which enables copying the policies to a file or diskette. You cannot use the Backup All button if you are using a browser whose security restrictions do not allow access to the file system from applets. Most browsers have plug-in modules that permit you to back up your policies to a local file or diskette. The backup medium contains copies of the local identities (the encryption keys and certificates) and must be stored securely and disposed of securely to avoid compromising your security.
Restore All button	Opens the Restore All dialog box, which enables restoring the policies from a file or diskette. The restore operation causes the information from the backup file to overwrite all current policy information. You cannot use the Restore All button if you are using a browser whose security restrictions do not allow access to the file system from applets.
Initialize HA button	Opens the Initialize HA dialog box. This dialog box contains the statements that you need to be connected to the HA primary to perform this operation and that you must select the interface you would like to be the HA interface for the primary. This dialog box presents a choice list of all the interfaces available.
Help button	Opens the online help.

Policy Rules Page

FIGURE 5-11 shows the Policy Rules page.

Figure 5-11 Policy Rules Page

Administration GUI Navigation Buttons

The topmost area contains the administration GUI navigation buttons. Figure 5-2 shows the navigation buttons and TABLE 5-2 describes these buttons.

The Policy Rules Page Command Buttons

The area below the administration GUI navigation buttons contains the command buttons for the Policy Rules page. These buttons become active when you add or edit a common object or modify a policy.

FIGURE 5-12 shows the command buttons on the Policy Rules page.

Figure 5-12 Policy Rules Page Command Buttons

TABLE 5-13 describes the command buttons on the Policy Rules page.

Table 5-13 Policy Rules Page Command Buttons


Command Button	Description
Save Changes	Saves any changes you have made to a policy either through the Common Object panel or through the Policy Rules panel. When this button is active, the Navigation buttons on the Policy Rules Page disappear. You must click the Save Changes button before you can move to another page or log out. When you save your changes, you are prompted to activate your policy. The proxy user, auth user, admin user, Jar signature, and Jar Hash common objects are automatically saved when they are edited or new objects are added. For these objects, the change applies immediately and cannot be reversed and the Save Changes button is greyed out to show that it is inactive. When you save changes, you are prompted to activate the modified policy. If you decide not to activate the modified policy now, you can do so later using the Verify Policy button. (See below in this table.)
Cancel Changes	Cancels any changes made to a policy either through the Common Object panel or through the Policy Rules panel.
Verify Policy	Verifies a policy that you have created or modified to check that all the rules are valid and should compile successfully when you activate it. Verifying a policy permits debugging it without having to activate it. When a policy successfully verifies, you are prompted to activate it.

The Policy Rules panel displays the rules in a policy and their order. In this panel, you can write new rules for a policy and edit the rules in a policy. You can establish rules for Packet Filtering, Administrative Access, NAT, or VPN, using the respective tab.

Common Objects Panel

Below the command buttons for the page is the Common Objects panel. You use the controls on this panel to edit or create new common objects for policies and objects specific to the Screen. FIGURE 5-13 shows the Common Objects panel of the Policy Rules page

Figure 5-13 Common-Objects Panel

TABLE 5-14 describes the information, controls, and the buttons in the Common Objects Panel.

Table 5-14 Common Object Information, Controls, and Buttons


Information	Control	Description
Version		The version of the registry of common objects that is being used in a policy. The latest version of the registry is used by all policies. If you edit the common objects (registry) the word "modified" appears after the number until you either cancel the changes or save the changes.
Type	Common Object Choice List	Displays the list of common objects available. You choose the common object that you want from this list.
	Subtype Choice List for Adding a New Common Object of Chosen Type	Displays the choice list of subtypes available for the common object that you selected. Each common object has it own set of subtypes and each subtype requires that you provide different information in a dialog box for that subtype for that common object.
Search	Search String	Enter the string for a particular subtype for a common object in this editable text field. When you click the Search button, all matching subtypes appear in the Results choice list. Leaving this field blank returns all entries defined for the selected subtype or local to the selected Screen. Selecting All in Search on Screens and Search Subtype Choice with the Search String field empty returns all entries defined.
	Search on Screen	Displays a choice list of the Screens that the Administration Station manages. Selecting a Screen from this list limits the search to common objects exclusive to that Screen.
	Search Subtypes	Display a choice list of the subtypes available for the selected common object.
	Search Button	Starts the search according to the criteria set.
	Results	Displays a choice list of available entries that match the criteria.
Found		Show the number of entries in the search that match the criteria.
Detail		Displays the description for the item chosen from the Results choice list.
	Edit Button	Displays the dialog box for the common object selected. Editing a common object is similar to adding a new one. The difference is that after you have chosen the common object that you want to edit and have clicked the Edit button, the dialog box for that common object contains all the information and you only need to modify the requisite information.
	Delete Button	Displays the Delete dialog box.
	Rename Button	Displays the Rename dialog box.
	Help Button	Displays online help.

Common Objects

Common objects are the components or data objects that you use to make up policy rules. Before you write these rules, you add the common objects that you plan to use in the rules.

After the common objects have been added, they are stored in a database and can be used over again to create rule sets for additional policies.

Save Is Not Required With Certain Common Objects

The common objects:

Authorized user
Admin user
Jar signature
Jar hash
Proxy user

that appear in the administration GUI are automatically saved when they are edited or new objects are added. You do not need to save these objects. Once these objects are added or edited, the change applies immediately and cannot be reversed. The Save button in the administration GUI is greyed out to show that it is inactive.

Note -

Although the changes made to these objects are saved immediately, they do not take effect until a policy is activated. The administration GUI edits authorized users, which are authuser objects; proxy users, which are proxyuser objects; and Jar signatures and Jar hashes.

Service

Use the service common object to identify network services that a Screen will use to filter packets. The service common object has two subtypes, single service and service group.

Note -

Adding a new service with new values makes troubleshooting easier than editing the default values of a service.

Single Service

You add new network services and edit the filtering activities applied when a service is used in a rule. You add a new single service using the Service dialog box that appears when you select New Single Service from the Add New combo box in the Common Objects panel, shown in FIGURE 5-14.

Figure 5-14 Service Dialog Box for a New Single Service

You control the filtering activities by specifying what packet-filtering engine you want to use and the various discriminators and parameters applicable to that filtering engine.

FIGURE 5-15 shows the filter table of the Service dialog box for a new single service.

Figure 5-15 Service Dialog Box for a New Single Service with Expanded Filter Table

TABLE 5-15 describes the controls in the Service dialog box for a single service.

Table 5-15 Controls for Service Dialog Box for Single Service


Control	Description
Configuration Information
Name	Specifies the name of the service object.
Description	(Optional) Provides a brief description about the service object.
Screen	(Optional) Restricts the service so that it applies to the selected Screen only. The default (All) means that all Screens recognize this object unless an object exists that has been specifically defined for a particular Screen and has the same name as the Screen for which it is defined.
Filter Table Information
Filter Table	Display the parameters for the single services. The Add Filter button Adds a row to the filter table so that you can define additional forward filters for the service. The Add Port button adds ports for use by the forward filter. This field becomes active when you click the port field of the filter table. The Delete button the highlighted row in the table. You click a row in the table to highlight it.
Filter	Identifies the state engine.
Port	Identifies the port number, program number, or type used by the forward filter.
Broadcast	Determines whether the rules in which the service is used allows communication to broadcast or multicast addresses. If you want the service to work for nonbroadcast addresses, you must enter a separate table entries for broadcast and nonbroadcast entries
Parameters	Overrides the default values the selected packet-filter state engine. Each state engine has a set of parameters; refer to Appendix C, Services and State Engines for default parameters values and their meaning.
Reverse	Determines whether the filter applies to packets originating from the host in the To address of a rule and going to the From address of a rule.
OK Button	Stores the new or changed information and makes the Save Changes command button active.
Cancel Button	Cancels any new or changed information.
Help Button	Displays the page of online help for this common object.

Service Group

Use the service group to group single services that you want to use together. FIGURE 5-16 shows the Service dialog box for service group.

Figure 5-16 Service Dialog Box for Service Group

TABLE 5-16 describes the controls in the Service dialog box for service group.

Table 5-16 Controls for Service Group Service Dialog Box


Control	Description
Name	Specifies the name of the service object.
Description	(Optional) Provides a brief description about the service object.
Screen	(Optional) Restricts this service group applies to the selected Screen only. The default (All) means that all Screens recognize this object unless an object exists that has been specifically defined for a particular Screen and has the same name as the Screen for which it is defined.
Services List	Identifies the services that do not belong to the service group. Refer to "State Engines" for a description of services.
Members List	Identifies the services that belong to the service group.
Add Button	Moves the service selected in the Services list to the Members list, making the service a member of the specified service group.
Remove Button	Moves the service selected in the Members list to the Services list, removing the service from the specified service group.
OK Button	Stores the new or changed information and makes the Save Changes command button active.
Cancel Button	Cancels any new or changed information.
Help Button	Calls up the page of online help for this common object.

Address

Use the address common object to create address objects that define the source and destination address for a policy rule. If you are adding addresses, the Address dialog box that appears for a particular subtype is empty. If you are modifying an existing address, the Address dialog box displays the existing information. Address objects has three subtypes: host, range and group.

Host

Host is a way to associate an individual host's IP address with a name for the address object. FIGURE 5-17 shows the Address dialog box for adding a new host to the host subtype.

Figure 5-17 Address Dialog Box for New Host

TABLE 5-17 describes the controls in the Address dialog box for a new host.

Table 5-17 Controls for New Host Address Dialog Box


Control	Description
Name	Specifies the name for the address object.
Description Field	(Optional) Provides a brief descriptive note about the address object.
Screen	(Optional) Restricts this address so that it applies to the selected Screen only. The default (All) means that all Screens recognize this object unless an object exists that has been specifically defined for a particular Screen and has the same name as the Screen for which it is defined.
IP Address/Host Name	Specifies the IP address you want to associate with the address object identified in the Name list.
Lookup IP Address Button	If SunScreen has access to DNS or NIS, lets you look up host addresses by host name.
OK Button	Stores the new or changed information and makes the Save Changes command button active.
Cancel Button	Cancels any new or changed information.
Help Button	Calls up the page of online help for this common object.

Range

Range associates a range of IP addresses with an address object name. For example, you can associate a name with a specified range of network IP addresses and use that name to filter traffic to all hosts on that network. FIGURE 5-18 shows the Address dialog box for adding a new range of addresses to the range subtype.

Figure 5-18 Address Dialog Box for New Range

TABLE 5-18 describes the controls for the Address dialog box for new range.

Table 5-18 Controls for New Range Address Dialog Box


Control	Description
Name	Specifies the name for the address object.
Description	(Optional) Provides a brief description about the address object.
Screen	(Optional) Restricts this range of addresses so that it applies to the selected Screen only. The default (All) means that all Screens recognize this object unless an object exists that has been specifically defined for a particular Screen and has the same name as the Screen for which it is defined.
Starting IP Address	Specifies the starting IP address in the range.
Ending IP Address	Specifies the ending IP address in the range.
OK Button	Stores the new or changed information and makes the Save Changes command button active.
Cancel Button	Cancels any new or changed information.
Help Button	Calls up the page of online help for this common object.

Group

Group is a way to group host addresses, address ranges and other address groups. By grouping addresses that use similar services and have similar actions, you can save time when creating rules. FIGURE 5-19 shows the Address dialog box for adding a new group to the group subtype.

Note -

Before you create an address group, you first define the address objects--single addresses, address ranges, or address groups--that you want to use in the address group.

Figure 5-19 Address Dialog Box for New Group

TABLE 5-19 describes the controls for the Address dialog box for new group.

Table 5-19 Controls for the New Group Address Dialog Box


Control	Description
Name	Specifies the name for the address object.
Description	(Optional) Provides a brief description about the address object.
Screen	(Optional) Restricts this address group so that it applies to the selected Screen only. The default (All) means that all Screens recognize this object unless an object exists that has been specifically defined for a particular Screen and has the same name as the Screen for which it is defined.
Addresses	Displays the addresses objects that can to be used to create the address group.
Include List	Specifies the address objects that are currently included in the address group. Use the Add or Remove buttons to modify the list.
Exclude List	Specifies the address objects that are excluded from the address group. For example, you can create an address group that includes all addresses except as specified in the Exclude List. Use the Add or Remove buttons to modify the list.
OK Button	Stores the new or changed information and makes the Save Changes command button active.
Cancel Button	Cancels any new or changed information.
Help Button	Calls up the page of online help for this common object.

Certificate

Use the certificate common object to configure the certificates for the Screen and for remote hosts that will communicate securely through the Screen.

Note -

Changes to the certificate object that pertain to loading into SKIP take effect immediately without having to be saved. You cannot use the Cancel Changes button to undo the changes you made. Changes to the certificate object as stored in the common objects do not take effect immediately and must be save and only take effect when the policy in which they are used is activated. For example, in adding a new certificate, (the certificate is created and loaded immediately into SKIP, but the name has not been saved as part of the common objects and must be saved. Renaming a certificate only affects the common objects and must be saved.

Generate Screen Certificate

Generate screen certificate generates a certificate for the Screen. FIGURE 5-20 shows the Certificate dialog box .

Figure 5-20 Certificate Dialog Box for Generate Screen Certificate

TABLE 5-20 describes the controls for the Certificate dialog box for generate Screen certificate.

Table 5-20 Controls for the Certificate Dialog Box for Generate Screen Certificate


Control	Description
Name	Specifies a name for the certificate.
Description	(Optional) Provides a brief description about the certificate object.
Screen	Specifies the Screen that recognizes the certificate object. The default is All.
Installed On	(Optional) Specifies the Screen on which the certificate is generated.
Radio buttons	Specifies the strength of encryption that the Screen uses.
Generate New Certificate	Generates the certificate. The Certificate ID field displays the certificate's certificate ID.
OK Button	Stores the new or changed information and makes the Save Changes command button active.
Cancel Button	Cancels any new or changed information.
Help Button	Calls up the page of online help for this common object.

Associate MKID

Associate MKID, also called the certificate ID, assigns a name to a certificate that exists on another machine. Associate a certificate ID for encrypted communication between two screens or between a screen and an Administration Station. FIGURE 5-21 shows the Certificate dialog box for Associate MKID .

Figure 5-21 Certificate Dialog Box for Associate MKID

TABLE 5-21 describes the controls for the Certificate dialog box for associate MKID.

Table 5-21 Controls for Associate MKID Certificate Dialog Box


Control	Description
Name	Specifies the name for the certificate ID object.
Description	(Optional) Provides a brief description about the MKID or certificate ID object.
Screen	Specifies which Screen recognizes the certificate ID object. The default is All. Specifying a Screen allows you to define packet-filtering rules that encrypt traffic between any two machines, not just between an Administration Station and a Screen. Specify the Screen only if you are using Centralized Management. A common object or policy rule applies to all Screens unless you choose a specific Screen.
Installed On	(Optional) Used only if you later remove this certificate object from the common objects. At that time, the SKIP identity that is installed on the Screen will be removed from the parameter.
Certificate ID	Specifies the certificate ID (hash value) for the certificate that you generated on the other system.
Radio Buttons	Specifies the strength of encryption that the Screen uses.
Generate New Certificate	Generates the certificate. The Certificate ID field displays the certificate's certificate ID.
OK Button	Stores the new or changed information and makes the Save Changes command button active.
Cancel Button	Cancels any new or changed information.
Help Button	Calls up the page of online help for this common object.

Certificate Group

Certificate group is a way to group single certificates that you want to use together. FIGURE 5-22 shows the Certificate dialog box for certificate group.

Figure 5-22 Certificate Dialog Box for Certificate Group

TABLE 5-22 describes the controls in the Certificate dialog box for certificate group.

Table 5-22 Controls for Certificate Group Dialog Box


Control	Description
Name	Specifies the name of the certificate object.
Description	(Optional) Provides a brief description about the certificate object.
Screen	Specifies which Screen recognizes the certificate object.
Available Certificate List	Identifies the certificates that do not belong to the certificate group. Refer toAppendix C, Services and State Engines for a description of services.
Group Members List	Identifies the certificates that belong to the certificate group.
Add Button	Moves the certificate selected in the Available Certificates List to the Group Members list, making the certificate a member of the specified service group.
Remove Button	Moves the certificate selected in the Group Members list to the Available Certificates list, removing the certificate from the specified certificate group.
OK Button	Stores the new or changed information and makes the Save Changes command button active.
Cancel Button	Cancels any new or changed information.
Help Button	Calls up the page of online help for this common object.

Screen

Use the screen common object to edit or add screen objects. You can edit miscellaneous Screen parameters, SNMP parameters, and mail Proxy parameters for screen objects that already exist. The algorithms used here are for centralized management only. FIGURE 5-23 shows the Screen dialog box.

Figure 5-23 Screen Dialog Box

In general, edit, rather than create, screen objects because they are automatically created during installation. Specifying a Screen enables you to define packet-filtering rules that encrypt traffic between any two machines, not just between an Administration Station and a Screen.

Note -

You must enter the name of the administrative interface of the Screen. The name must be the name of the administrative interface of the Screen as it is listed in the naming service or in the /etc/hosts file.

You must create a screen object if you are setting up :

A high availability (HA) cluster
A centralized management group (CMG)

You create or edit a screen object using the Miscellaneous, Primary/Secondary, SNMP, and Mail Proxy tabs in the Screen dialog box.

Miscellaneous Tab

Figure 5-23 shows the Miscellaneous tab of the Screen dialog box and the parameters.

TABLE 5-23 describes the controls for the Miscellaneous tab of the Screen dialog box.

Table 5-23 Controls for the Miscellaneous Tab of the Screen Dialog Box


Control	Description
Name	Specifies a name for the screen object.
Description	(Optional) Provides a brief description of the screen object.
Log Size	Sets the size of the log in megabytes.
Stealth Network	Specifies the network address for interfaces that are used as stealth interfaces. Set this parameter if you have used the interface object to designate any Screen interfaces as stealth interfaces.
Stealth Netmask	Specifies the netmask for interfaces that are used as stealth interfaces. Set this parameter if you have used the interface object to designate any Screen interfaces as stealth interfaces.
Allow Routing Traffic	Specifies whether the Screen sends or receives updates to the routing table using the RIP protocol.
Name Service	Specifies the name service (DNS, NIS, Both, or None) that the Screen will use.
Certificate Discovery	Specifies whether the Screen uses Certificate Discovery.
OK Button	Stores the new or changed information and makes the Save Changes command button active.
Cancel Button	Cancels any new or changed information.
Help Button	Calls up the page of online help for this common object.

SNMP Tab

The SNMP tab specifies the interval for SNMP timed status indicator traps and you can add, edit, or delete SNMP trap receivers.

Note -

Use the Action field of the packet-filtering Rule Definition dialog box to specify actions that generate SNMP alerts. The machine that receives SNMP trap alerts must not be a remote Administration Station.

FIGURE 5-24 shows the SNMP tab of the Screen dialog box .

Figure 5-24 SNMP Tab of the Screen Dialog Box

TABLE 5-24 describes the controls for the SNMP tab on the Screen dialog box.

Table 5-24 Controls for the SNMP Tab of the Screen Dialog Box


Control	Description
Name	Specifies a name for the Screen object.
Description	(Optional) Provides a brief description of the Screen object.
SNMP timer interval (in minutes)	Specifies in minutes when an SNMP trap is emitted. Specifying a time here turns on the timed status indicator. Specify the time in 1-minute increments. If you do not set the interval as part of the screen object's `SNMP_TIMER`, these traps are not sent. You cannot configure this trap.
SNMP Receivers	Displays the list of SNMP receivers. You are limited to five receivers.
Add/Delete (Name/IP address)	Specifies the name or the IP address of the SNMP receiver that you want to add to list when you click the Add button. Specifies the name or the IP address of the SNMP receiver that you want to delete when you click the Delete button.
Add	Adds the SNMP receiver specified in the Add/Delete (Name/IP address) field to the list of SNMP receivers shown in the SNMP Receivers field.
Delete	Deletes the SNMP receiver specified in the Add/Delete (Name/IP address) field from the list of SNMP receivers shown in the SNMP Receivers field. Deletes the SNMP receiver highlighted in the SNMP Receivers field.
OK Button	Stores the new or changed information and makes the Save Changes command button active.
Cancel Button	Cancels any new or changed information
Help Button	Calls up the page of online help for this common object.

The following SNMP traps are supported:

As an action on a packet that matches a particular rule
As a default drop action on an interface
Time status indicator traps

The first two types include the following data:

interface - The SunScreen network interface number on which the packet was received.
interfaceName - The SunScreen network interface name on which the packet was received.
errorReason - The reason the alert was generated. (See the sunscreen.mib file for a complete list of reasons.)
packetLength - The actual length of the packet in bytes.
lengthLogged - The length of the data logged in bytes.
packetData - The packet data.

The SNMP timed status indicator trap uses the same receivers database as other types of SNMP traps. There is only one database with a maximum of five receivers. These receivers are specified as variable to the screen object.

To activate the timed status indicator traps, set the SNMP timer interval.

The following data are in the SNMP timed status indicator. These data cannot be modified and new data cannot be added:

cpuUsage - Average percentile CPU usage
memoryAvail - Current swap space available, in kilobytes
swapIn - Current swap ins
swapOut - Current swap outs
scanRate - Current scan rate
tcpUsage - Current number TCP connections in the SunScreen state table
ipUsage - Current number IP connections in the SunScreen state table
udpUsage - Current number UDP connections in the SunScreen state table
rootUsage - Disk usage of the root partition, /
varUsage - Disk usage of the var partition, /var
etcUsage - Disk usage of the etc partition, /etc
tmpUsage - Disk usage at the tmp partition, /tmp

Only these SNMP traps are supported. No get or set operations are supported.

Primary/Secondary Tab

The Primary/Secondary tab associates a certificate object with a Screen that is part of an HA cluster or a CMG. The High Availability choice (No, Primary, or Secondary) and the Primary Name choice determine the role a Screen has within an HA cluster and centralized management group (CMG). The settings you choose determine which other controls on the Primary/Secondary tab are active. FIGURE 5-25 shows the Primary/Secondary tab of the Screen dialog box .

Figure 5-25 Primary/Secondary Tab on the Screen Dialog Box

TABLE 5-25 describes the controls for the Primary/Secondary tab.

Table 5-25 Controls for the Primary/Secondary Tab of the Screen Dialog Box


Control	Description
Name	Specifies a name for the Screen object. The entry in the Name field must be the same as the entry that exists in the `nameservice` lookup or in the `/etc/hosts` file. The IP address associated with this name must match the IP address of the administrative interface. The type of interfaces must be the same on all the machines in the HA cluster. This interface must be dedicated on each machine in the HA cluster with a dedicated network connection. For reasons of security, the HA network should not be connected to any other network. The HA primary Screen is always the Screen you administer whether it is the active or passive Screen.
Description	(Optional) Provides a brief description of the Screen object.
High Availability	Specifies whether the Screen is used for HA. If you are using it for HA, you can specify whether the Screen is a primary HA Screen or a secondary HA Screen.
Primary Name	Specifies the name of the primary Screen. This is the primary of this Screen if this Screen is an HA secondary, or the primary of a centralized management group if you want this Screen to be a CMG secondary.
Administrative IP	IP address of the Screen that is used for administration. This is the IP address or an address group that contains all interface addresses of the Screen.
Administration Certificate	Specifies the name of the Screen's Administration certificate.
High Availability IP Address	Specifies the IP address of the HA interface.
Ethernet Address	Generated by the system.
Key Algorithm	Specifies the key encryption algorithm that will be used. The options available depend upon the strength of the encryption installed.
Data Algorithm	Specifies the key encryption algorithm that will be used. The options available depend upon the strength of the encryption installed.
MAC Algorithm	Specifies the MAC (authentication) algorithm that will be used. The options are: none MD5 MD5-NAT
OK Button	Stores the new or changed information and makes the Save Changes command button active.
Cancel Button	Cancels any new or changed information.
Help Button	Calls up the page of online help for this common object.

Mail Proxy

The Mail Proxy tab allows adding, editing, or deleting domains known to distribute unsolicited electronic mail (spam). You can define spam domains if you use an SMTP proxy.

FIGURE 5-26 shows the Mail Proxy tab of the Screen dialog box .

Figure 5-26 Screen Dialog Box Showing the Mail Proxy Tab

TABLE 5-26 describes the controls for the Mail Proxy tab of the Screen dialog box.

Table 5-26 Controls for the Mail Proxy Tab of the Screen Dialog Box


Control	Description
Name	Specifies a name for the Screen object.
Description	(Optional) Provides a brief description of the Screen object.
Spam Domains	Lists the domains that are distributing unsolicited electronic mail.
Add/Delete Host	Specify the domain that you want to add to the Spam Domains list when you click the Add button. Specify the domain that you want to delete from the Spam Domains list when you click the Delete button.
Add	Adds the domain specified in the Add/Delete Host field to the list of spam domains shown in the Spam Domains field.
Delete	Deletes the domain specified in the Add/Delete Host field from the list of domains shown in the Spam Domains field. Deletes the domain highlighted in the Spam Domains field.
OK Button	Stores the new or changed information and makes the Save Changes command button active.
Cancel Button	Cancels any new or changed information.
Help Button	Calls up the page of online help for this common object.

Interface

The interface common object defines interfaces and specifies the actions a Screen should take when a packet that is received on that interface is rejected.

FIGURE 5-27 shows the Interface Definition dialog box .

Figure 5-27 Interface Definition Dialog Box

TABLE 5-27 describes the controls for the Interface Definition dialog box.

Table 5-27 Controls for the Interface Definition Dialog Box


Control	Description
Interface	Specifies the interface.
Type	Specifies the type of interface. The options are: ROUTING ADMIN DISABLED HA STEALTH
Screen	Specifies the Screen on which this interface physically resides. If you are using centralized management, you must complete this field.
Address Group	Specifies the source IP addresses for this interface.
Logging	Identifies the disposition of a packet, when a packet received on the interface does not match any rule. The options are: NONE - Do not log packets. SUMMARY - Record the first 40 bytes of the packet in the log. DETAIL - Record the complete packet in the log. If a packet matches a rule, it is disposed of according to the action for the rule it matches.
SNMP Alerts	Specifies whether the Screen should issue an SNMP alert message when a packet received on an interface does not match a rule. The options are: SNMP_NONE - Do not send an SNMP alert message. (This is the default.) SNMP - Send an SNMP alert message when a packet received on this interface is rejected. If a packet matches a rule, it is disposed of according to the action for the rule it matches.
ICMP Action	Identifies the ICMP rejection message that is issued if a packet received on the interface is rejected. In most cases, the Screen rejects packets by sending an ICMP Destination Unreachable packet with the reject code set as specified in the ICMP action on the interface. The one exception is the PORT_UNREACHABLE ICMP action. In this case, the Screen rejects TCP packets by sending a TCP RESET packet and other packets by sending an ICMP Destination Unreachable (Port Unreachable) message. The options for the actions are: NONE NET_UNREACHABLE HOST_UNREACHABLE PORT_UNREACHABLE NET_FORBIDDEN HOST_FORBBIDEN. If a packet matches a rule, it is disposed of according to the action for the rule it matches.
Comment	(Optional) Provides a descriptive note about the Interface object.
Router IP Address	(Optional) Specifies the router's IP address when the type of interface is STEALTH. This allows packets that have had their destination address changed, for example NAT or tunnelling, to be sent to a router. You can specify as many as five router IP addresses. If you have stealth interfaces, define the router that does the routing for the subnet for at least one of them.
OK Button	Stores the new or changed information and makes the Save Changes command button active.
Cancel Button	Cancels any new or changed information.
Help Button	Calls up the page of online help for this common object.

Proxy User

The proxy user common object contains the mapping information for users of SunScreen proxies. The proxy user object has the subtypes single and group. FTP and Telnet rules reference the proxy user entries.

The proxy user object is automatically saved when it is edited or a new proxy user object is added. Any changes apply immediately and cannot be reversed. The Save Changes button is greyed out to show that it is inactive.

Single

The single dialog box defines a new single proxy user.

If you want to use the authentication feature of the FTP and Telnet proxies, you must define an authorized user before you add a proxy user.

FIGURE 5-28 shows the Proxy User dialog box for adding a new single proxy user .

Figure 5-28 Proxy User Dialog Box for a Single Proxy User

TABLE 5-28 describes the controls for the Proxy User dialog box for a single proxy user.

Table 5-28 Controls for the Proxy User Dialog Box for a Single Proxy User


Control	Description
Name	Specifies the name of the proxy user.
Description	Adds a brief description of the proxy user.
User Enabled	Controls whether the user can log into the Screen. This function permits the administrator to refuse login privileges to someone who previously could log in without having to remove that person from the list of proxy users.
Authorized User Name	Selects the name of the authorized user to be used to authenticate this proxy user. Names in this list are generated when you add an authorized user object. If this field is empty, authorization is not required for this user.
Proxy User Group	Identifies the user group or groups to which the user belongs. If no groups are highlighted, user does not belong to any group.
Backend User Name	Identifies the user on a specific server. It defaults to the user name.
OK Button	Stores the new or changed information.
Cancel Button	Cancels any new or changed information.
Help Button	Calls up the page of online help for this common object.

Group

The group is a way to group proxy users that have the same privileges. Group proxy users to save time when creating rules. Before creating a proxy user group, define the proxy user objects for that proxy user group. Group proxy users to save time when creating rules.

FIGURE 5-29 shows the Proxy User dialog box for adding a new group.

Figure 5-29 Proxy User Dialog Box for Grouping Proxy Users

TABLE 5-29 describes the controls for the Proxy User dialog box for grouping proxy users.

Table 5-29 Controls for the Proxy User Dialog Box for Grouping Proxy Users


Control	Description
Name	Specifies the name of the proxy group.
Description	Adds a brief description of the proxy group.
User Enabled	Controls whether this group of proxy users can log into the Screen's proxy. This function permits the administrator to refuse login privileges to a group that previously could log in without having to remove that group from the list of member users.
Proxy Users	Displays the proxy user objects that can to be used to create the member user list for the proxy user group.
Member Users	Specifies the proxy user objects that are currently included in the member users list of the proxy user group. Use the Add or Remove buttons to modify the member users list.
OK Button	Stores the new or changed information.
Cancel Button	Cancels any new or changed information.
Help Button	Calls up the page of online help for this common object.

Authorized User

The common object authorized user specifies the users that are allowed to use the Telnet and FTP proxies.

The common object authorized user is automatically saved when it is edited or a new authorized user object is added. Any changes apply immediately and cannot be reversed. The Save Changes button is greyed out to show that it is inactive.

FIGURE 5-30 shows the User dialog box for an authorized user object . This same dialog box also appears for the administrative user object.

Figure 5-30 User Dialog Box for an Authorized User

TABLE 5-30 describes the controls for the User dialog box for an authorized user object and for an administrative user object.

Table 5-30 Controls for the User Dialog Box for an Authorized User Object and an Administrative User Object


Control	Description
User Name	Specifies the login name of the authorized user.
Description	(Optional) Provides a brief description about the authorized user.
User Enabled	Controls whether the user can log into the Screen's proxy. This function permits the administrator to refuse login privileges to someone who previously could log in without having to remove that person from the list of proxy users.
Password	Specifies the login password for the authorized user.
Retype Password	Specifies the login password for the authorized user. The password typed in this field must exactly match the password you typed in the Password field.
SecurID Name	(Optional) Specifies the user's login name for SecurID authorization.
Real Name	(Optional) Identifies the real name of the authorized user.
Contact Information	(Optional) Displays information on how to contact the specified user.
OK Button	Stores the new or changed information.
Cancel Button	Cancels any new or changed information.
Help Button	Calls up the page of online help for this common object.

Administrative User

The common object administrative user identifies the SunScreen administrators that have access to the Screen. This object refers to an authorized user; therefore, the administrative user object uses the same User dialog box that the authorized user object does.

FIGURE 4-32 shows the User dialog box for both an authorized user object and an administrative user object. TABLE 5-30 describes the controls for the User dialog box for both an authorized user object and an administrative user object.

The administrative user object is automatically saved when it is edited or a new administrative user object is added. Any changes apply immediately and cannot be reversed. The Save Changes button is greyed out to show that it is inactive.

After you create an administrative user object, you grant administrative access by creating a rule in the Administrative Access tab of the Policy Rules panel. The name that you create for the administrative user object is the same name that you use when you create administrative access rules.

Jar Signature

The Jar signature common object identifies the Java archives (JARs) that you want the Screen to pass. JAR signatures apply only to the HTTP proxy.

The Jar signature object is automatically saved when it is edited or a new Jar signature object is added. Any changes apply immediately and cannot be reversed. The Save Changes button is greyed out to show that it is inactive.

FIGURE 5-31 shows the Jar Signature dialog box .

Figure 5-31 Jar Signature Dialog Box

TABLE 5-31 describes the controls for the JAR signature dialog box.

Table 5-31 Controls for the Jar Signature Dialog Box


Control	Description
Name	Identifies the name of the certificate.
Master Key ID	Identifies the certificate ID.
Load Jar Certificate Button	Loads the certificate used to authenticate the Java archive. This procedure requires that your browser can allow local access to files.
OK Button	Stores the new or changed information.
Cancel Button	Cancels any new or changed information.
Help Button	Calls up the page of online help for this common object.

Jar Hash

The HTTP proxy can be set up to filter the Java applets based on the hash value of the Jar file.

The Jar hash object is automatically saved when it is edited or a new Jar hash object is added. Any changes apply immediately and cannot be reversed. The Save Changes button is greyed out to show that it is inactive.

FIGURE 5-32 shows the Jar Hash dialog box .

Figure 5-32 Jar Hash Dialog Box

TABLE 5-32 describes the controls for the Jar hash dialog box.

Table 5-32 Controls for the Jar Hash Dialog Box


Control	Description
Name	Identifies the name of the certificate.
Master Key ID	Identifies the certificate ID.
OK Button	Stores the new or changed information.
Cancel Button	Cancels any new or changed information.
Help Button	Calls up the page of online help for this common object.

Time

The time common object specifies the time of day and the day of the week that a rule applies.

FIGURE 5-33 shows the Time dialog box .

Figure 5-33 Time Dialog Box

TABLE 5-33 describes the controls in the Time dialog box.

Table 5-33 Controls for the Time Dialog Box


Control	Description
Name	Specifies a name for the time object.
Description	(Optional) Adds a descriptive note about the time object.
Screen	Specifies the Screen that recognizes the time object.
Table for the Time Parameters	Sets the time of day and the day of the week for this time object. Use the Add button to add a row to the table and the Delete button to remove a row to the table Day column contains a choice list of the days of the week plus EVERYDAY and *. Start Time column contains a choice list of the hours in a day using the 24-hour clock with midnight denoted as 00. Time Start column contains a choice list of the minutes in an hour in 5-minute increments. End Time column contains a choice list of the hours in a day using the 24-hour clock with midnight denoted as 00. End Time column contains a choice list of the minutes in an hour in 5-minute increments.
Add Row Button	Adds a row to the table so that you can set time parameters for this time object. To cover more than one day, but less than everyday, add a row for each day and choose the day that you want for each row
Delete Button	Deletes a highlighted entry in the table.
OK Button	Stores the new or changed information and makes the Save Changes command button active.
Cancel Button	Cancels any new or changed information.
Help Button	Calls up the page of online help for this common object.

Policy Rules Panel

Policy rules govern data communication between systems--either another host, a network, or a remote computer and your network. You write and edit the rules that govern this communication in the Policy Rules panel. SunScreen uses ordered sets of rules to implement the security policies. Ordered set of rules means that, when a Screen receives a packet, it matches the packet against each rule in its active policy until it finds one that applies, and then takes the actions associated with that rule. Once a Screen finds an applicable rule for a packet, it ignores subsequent rules in its active policies.

Rules do not take effect until you save and activate the policy to which they belong by clicking the Save Changes button located above the Common Objects area, and the Activate button in the bottom area of the Policies List page. SunScreen sets up the basic security policy for name service lookups, Routing Information Protocol (RIP) packets, and SunScreen SKIP certificate discovery during installation. You can change these setting for each Screen by changing them in the screen object. You can use the Rules area on the Policy Rules page to specify how your Screen should filter other types of packets.

Note -

If the specified filtering rule fails to detect any issued certificate (key) encryption algorithms, it may display the following error message: An error occurred in detecting the Encryption algorithms. Please check if skipd process is running. If this occurs, restart the skipd process using the command skipd_restart.

Use the Policy Rules panel to add or modify a rule in a SunScreen policy. Clicking the Add New button (or selecting a policy and clicking the Edit button) opens the Policy Rules panel of the Policy List page.

To display the controls on a tab, click the tab header. TABLE 5-34 describes the tabs that are available from the Policy Rules panel.

Table 5-34 Policy Rules Panel Tabs


Tab	Description
Packet Filtering	Shows the packet filtering rule or rules.
Administration Access	Defines access rules for local administration and remote Administration Stations through the administration GUI or the command line (seeAppendix B, Command-Line Reference ).
NAT (Network Address Translation)	Maps private network addresses to public network addresses.
VPN (Virtual Private Network)	Maps name, address, certificate, issued certificate (key) algorithm, data algorithm, MAC algorithm, tunnel address, and description.

Packet Filtering Tab

The Packet Filtering tab displays a panel, shown in FIGURE 5-34, for configuring packet-filtering rules. Use packet filtering to control traffic using a particular service, traffic intended for a particular service, or traffic coming from a particular address.

Figure 5-34 Packet Filtering Tab

SunScreen uses ordered packet filtering. The Screen assumes that the first rule that matches a packet is the rule that governs the disposition of the packet.

If the packet does not match any rule, the Screen uses its default action to determine the disposition of the packet.

Note -

The default action is set when defining the interfaces. A default action can be set for each interface, but not for the entire Screen. Typically, the default action is to only drop the packet. Other options are available. See "Interface".

TABLE 5-35 describes the available fields in the Packet Filtering tab.

Table 5-35 fields on the Packet Filtering Tab


Field	Description
Rule Index	(Optional) Assigns a number to a rule. When editing or adding a new rule, by default, this field displays a number one greater than the last rule (indicating this rule will be placed at the bottom of the list). If you type a lower number, the new rule is inserted into the specified position in the list, and the rules currently in the configuration are renumbered.
Screen	(Optional) Specifies the Screen for which you want the rule to apply. Type a specific Screen name in this field if you use centralized management and want a rule to apply to a specific Screen.
Service	Identifies the network service or service group to which this rule applies. Network services and service groups are described in Appendix C, Services and State Engines.
Source	The value to which the source address of a packet is compared. If an asterisk (*) appears, any source address meets the criteria of the rule.
Destination	The value to which the destination address of a packet is compared to determine whether the rule should apply. If an asterisk (*) appears, any destination address meets the criteria of the rule.
Action	Displays the action for the rule and permits setting the logging behavior. The options are: ALLOW DENY ENCRYPT SECURE
Time	Specifies the time of day for the rule.
Description	(Optional) Provides a brief description of the Administrative Access rule.

To edit every field, except the Rule Index field, on the Packet Filtering tab, click it to display the choice list. The changes in the fields for a rule are reflected in the Common Objects panel, except for the Action field, which displays a dialog box for that rule and policy. Set the logging options for the action in the dialog box for that action. The particular dialog box that appears depends on the action selected.

ALLOW Action

FIGURE 5-35 shows the Policy Rule Index dialog box for the ALLOW action.

Figure 5-35 Policy Rule Index Dialog Box for ALLOW action

TABLE 5-36 describes the controls in Policy Rule Index dialog box for ALLOW action.

Table 5-36 Controls for ALLOW Action


Control	Description
Log	Sets logging behavior. The options are: LOG_NONE - Do not log packets. LOG_SUMMARY - Record the first 40 bytes of the packet in the log. LOG_DETAIL - Record the complete packet in the log. LOG_SESSION - Record information about the session in the log. The information saved consists of the source and destination addresses and ports (if applicable), the amount of data being sent in each direction, and the length of the session. Not used for stateless services such as `ip all`.
SNMP	Specifies whether the Screen should issue an SNMP trap message when the rule is applied. The options are: SNMP_NONE - Do not send an SNMP alert message when a packet matches the criteria of this rule. SNMP - Send an SNMP alert message when a packet matches the criteria of this rule.
PROXY	Specifies the proxy the Screen should use, if any, when a packet meets the selection criteria of the rule. The options are: NONE PROXY_HTTP PROXY_FTP PROXY_SMTP PROXY_telnet If you choose a proxy, another dialog box, according to the proxy chosen, is displayed.

PROXY_HTTP - Presents the dialog box shown in FIGURE 5-36.

Figure 5-36 PROXY_HTTP Dialog Box for ALLOW action

TABLE 5-37 lists the flags for the HTTP proxy.

Table 5-37 HTTP Proxy Flags


Flag	Function
Cookies	Permits the use of cookies. The options are: ALLOW DENY
ActiveX	Permits the use of ActiveX. The options are: ALLOW DENY
Java	Allow or disallow use of Java applets. The options are: Allow JAVA Block JAVA JAR Signature JAR Hash JAR Signature and Hash
SSL	Permits the use of SSL encryption. The options are: ALLOW DENY

PROXY_FTP - Presents the dialog box shown in FIGURE 5-37.

Figure 5-37 PROXY_FTP Dialog Box for ALLOW action

TABLE 5-38 lists the settings available for the flags for the FTP proxy.

Table 5-38 FTP Proxy Flags


Flag	Function
GET	Allow or disallow use of the FTP get command
PUT	Allow or disallow use of the FTP put command
CHDIR	Allow or disallow use of the FTP chdir command
MKDIR	Allow or disallow use of the FTP mkdir command
RENAME	Allow or disallow use of the FTP rename command
REMOVE	Allow or disallow use of the FTP remove_dir command
DELETE	Allow or disallow use of the FTP delete command
PROXY USERS	Choose the proxy user or the group of proxy users that you want for this rule. You can have only one proxy user or one group of proxy users in this field. You define these proxy users in the proxy user common object.

PROXY_SMTP - Presents the dialog box shown in FIGURE 5-38.

Figure 5-38 PROXY_SMTP Dialog Box for ALLOW action

The only flag for the SMTP proxy is to allow or disallow relayed mail.

PROXY_Telnet - Presents the dialog box shown in FIGURE 5-39.

Figure 5-39 PROXY_Telnet Dialog Box for ALLOW action

For the PROXY USER field, type the proxy user or the group of proxy users that you want for this rule from the choice list. Specify only one proxy user or one group of proxy users in this field. Define these proxy users in the proxy user common object.

DENY Action

FIGURE 5-40 shows the Policy Rule Index dialog box for DENY action

Figure 5-40 Policy Rule Index Dialog Box for DENY Action

TABLE 5-39 describes the controls in Policy Rule Index dialog box for DENY action.

Table 5-39 Controls for DENY Action


Control	Description
Log	Sets logging behavior. The options are: LOG_NONE - Do not log packets. LOG_SUMMARY - Record the first 40 bytes of the packet in the log. LOG_DETAIL - Record the complete packet in the log.
SNMP	Specifies whether the Screen should issue an SNMP trap message when the rule is applied. The options are: SNMP_NONE - Do not send an SNMP alert message when a packet matches the criteria of this rule. SNMP - Send an SNMP alert message when a packet matches the criteria of this rule.
ICMP Reject	Identifies the ICMP rejection message issued when the rule is applied. In most cases, the Screen rejects packets by sending an ICMP Destination Unreachable packet with the reject code set as specified in the ICMP action in the rule. The one exception is the PORT_UNREACHABLE ICMP action. In this case, the Screen rejects TCP packets by sending a TCP RESET packet and other packets by sending an ICMP Destination Unreachable (Port Unreachable) message. The options for the actions are: NONE NET_UNREACHABLE HOST_UNREACHABLE PORT_UNREACHABLE NET_FORBIDDEN HOST_FORBIDDEN
PROXY	Specifies the proxy you want to use, if any. The options are: NONE PROXY_HTTP PROXY_FTP PROXY_SMTP PROXY_telnet If you choose a proxy, another dialog box, according to the proxy chosen, is displayed.
PROXY USERS	You must type the name or names of the proxy users in this field. You find the proxy users by selecting proxy user as the type of object and searching for them in Common Objects panel of the Policy Rules page.

PROXY_HTTP - Presents the same dialog box shown in Figure 5-40 save that PROXY_HTTP appears in the PROXY field. There are no flags to set.
PROXY_FTP - Presents the dialog box shown in FIGURE 5-41.

Figure 5-41 PROXY_FTP Dialog Box for DENY action

PROXY_SMTP - Presents same dialog box shown in Figure 5-40 save that PROXY_SMTP appears in the PROXY field. There are no flags to set.
PROXY_Telnet - Presents the dialog box shown in FIGURE 5-42.

Figure 5-42 PROXY_Telnet Dialog Box for DENY action

ENCRYPT Action

FIGURE 5-43 shows the Policy Rule Index dialog box for ENCRYPT action.

Figure 5-43 Policy Rule Index Dialog Box for ENCRYPT Action

TABLE 5-40 describes the controls in Policy Rule Index dialog box for ENCRYPT action.

Table 5-40 Controls For ENCRYPT Action


Control	Description
Log	Sets logging behavior. The options are: LOG_NONE - Do not log packets. LOG_SUMMARY - Records the first 40 bytes of the packet in the log. LOG_DETAIL - Records the complete packet in the log. LOG_SESSION - Records information about the session in the log. The information saved consists of the source and destination addresses and ports (if applicable), the amount of data being sent in each direction, and the length of the session. Not used for stateless services such as `ip all`.
SNMP	Specifies whether the Screen should issue an SNMP trap message when the rule is applied. The options are: SNMP_NONE - Do not send an SNMP alert message when a packet matches the criteria of this rule. SNMP - Send an SNMP alert message when a packet matches the criteria of this rule.
Encryption	Specifies the version of SKIP. The options are: SKIP_VERSION_1 - Use old-style SKIP to encrypt or decrypt packets. SKIP_VERSION_2 - Use new-style SKIP to encrypt or decrypt packets.
Source Tunnel	Specifies the tunnel address of the from encryptor.
Destination Tunnel	Specifies the tunnel address of the to encryptor.
From Encryptor	Specifies the certificate name for the SKIP host that is encrypting the data. This can be either a Screen or an end-system SKIP host. Either the From Encryptor or the To Encryptor must identify a SKIP certificate on the local Screen
To Encryptor	Specifies the certificate name for the SKIP host that is decrypting the data. This machine can be the local Screen or a remote host.
Key Algorithm	Specifies the type of encryption you want to use for traffic. The options available depend on the strength of encryption that you are using.
Data Algorithm	Specifies the type of encryption you want to use for data. The options available depend on the strength of encryption that you are using.
MAC Algorithm	Specifies the type of authentication that you want to use for packets that meet the criteria of this rule. The MAC algorithm is supported in SKIP version 2. The options are: none MD5 MD5-NAT

SECURE Action

FIGURE 5-44 shows the Policy Rule Index dialog box for SECURE action

Figure 5-44 Policy Rule Index Dialog Box for SECURE Action

TABLE 5-41 describes the controls in Policy Rule Index dialog box for SECURE action.

Table 5-41 Controls for SECURE Action


Control	Description
Log	Sets logging behavior. The options are: LOG_NONE - Do not log packets. LOG_SUMMARY - Record the first 40 bytes of the packet in the log. LOG_DETAIL - Record the complete packet in the log. LOG_SESSION - Record information about the session in the log. The information saved consists of the source and destination addresses and ports (if applicable), the amount of data being sent in each direction, and the length of the session. Not used for stateless services such as `ip all`.
SNMP	Specifies whether the Screen should issue an SNMP trap message when the rule is applied. The options are: SNMP_NONE - Do not send an SNMP alert message when a packet matches the criteria of this rule. SNMP - Send an SNMP alert message when a packet matches the criteria of this rule.
VPN	Specifies the name of the VPN to which the rule applies.

Administrative Access Tab

The Administrative Access rules tab shows access and encryption settings for local and remote administration. FIGURE 5-45 shows the Administrative Access tab. You set the values reflected on the two panels of this tab through the dialog box for each panel.

Figure 5-45 Administrative Access Tab

Access Rules for GUI Local Administration

Use the Access Rules for GUI Local Administration dialog box , shown in FIGURE 5-46, to add or modify administrative access rules for local Administration Stations.

Figure 5-46 Local Access Rules Dialog Box

TABLE 5-42 describes the controls for the Local Access Rules dialog box.

Table 5-42 Controls for the Local Access Rules Dialog Box


Control	Description
Rule Index	Assigns a number to a rule. By default, this field displays a number one greater than the last rule (indicating this rule will be placed bottom of the list). If you type a lower number, the new rule is inserted into the specified position in the list, and the rules currently in the configuration are renumbered.
Screen	(Optional) Specifies the Screen for which you want the rule to apply. Type a specific Screen name in this field if you use centralized management and want a rule to apply to a specific Screen. The default All applies to all Screens.
User	Lists the user names of SunScreen administrators. Use the names that you defined for the Administrative User object.
Access Level	Specifies what actions the designated user can perform. ALL - Allows the administrator to display and modify all setting for the Screen. WRITE - The administrator can perform all operations except modifying the Administration Access rules for any Policy. READ - The administrator can view both the Information and Policy. This level also allows the user to save and clear logs on the information page. With this access level users cannot modify any Policy data. STATUS - The administrator can display status information (logs, statistics, status information) but cannot display or modify management settings. NONE - The administrator no longer has any access. This switch prevents an administrator who had access from logging in without having to remove that administrator from the database.
Description	(Optional) Provides a brief description of the Administrative Access rule.
Move	Allows you to assign a new rule index number for the rule that you highlighted in the Access Rules for GUI Local Administration panel of the Administrative Access tab.
Delete	Deletes the access rule that you highlighted in the Access Rules for GUI Local Administration panel of the Administrative Access tab.
Help	Displays the online help.

The Access Rules for Remote Administration

Use the Remote Access Rules dialog box , shown in FIGURE 5-47, to add or modify administrative access rules for remote administration stations. The certificates used here must be of the same strength and type as those defined in the screen object. The entries here determine what type of remote Administration Station the Screen will accept. The Screen only uses the administration certificate field of the Screen object here.

Figure 5-47 Remote Access Rules Dialog Box

TABLE 5-43 describes the controls for the Remote Access Rules dialog box.

Table 5-43 Controls for the Remote Access Rules Dialog Box


Control	Description
Rule Index	(Optional) Assigns a number to a rule. By default, this field displays a number one greater than the last rule (indicating this rule will be placed bottom of the list). If you type a lower number, the new rule is inserted into the specified position in the list, and the rules currently in the configuration are renumbered.
Screen	(Optional) Specifies the Screen for which you want the rule to apply. Type a specific Screen name in this field if you use centralized management and want a rule to apply to a specific Screen. The default All applies to all Screens.
Address Object	Specifies from where users may initiate a connection.
User	Lists the user names of SunScreen administrators. Use the names that you defined for the Administrative User object.
Encryption	Specifies the version of SunScreen SKIP being used to encrypt traffic between the Screen and the Administration Station.
Certificate Group	Specifies the name of the certificate group, which can correspond to a single certificate or a certificate group, allowed over this interface.
Key Algorithm	Identifies the algorithm used to encrypt traffic-encrypting keys. The algorithms available depend on the strength of encryption (128 bit, or 56 bit) that you are using with SunScreen.
Data Algorithm	Identifies the algorithm used to encrypt message traffic between the Screen and the Administration Station. The algorithms available depend on the strength of encryption (128 bit or 56 bit) that you are using with SunScreen.
MAC Algorithm	Identifies the algorithm used to authenticate traffic.
Tunnel	Identifies the tunnel address used for the communication between the remote Administration Station and the Screen.
Access Level	Specifies what actions the designated user can perform: ALL - The administrator can display and modify all settings for the Screen. WRITE - The administrator can perform all operations except modifying the Administration Access rules for any Policy. READ - The administrator can view both the Information and Policy. This level also allows the user to save and clear logs on the information page. With this access level users cannot modify any Policy data. STATUS - The administrator can display status information (logs, statistics, status) but cannot display or modify management settings. NONE - The administrator does not have access.
Description	(Optional) Provides a brief description of the remote administrative access rule.
Move	Enables you to assign a new rule index number for the rule that you highlighted in the Access Rules for Remote Administration panel of the Administrative Access tab.
Delete	Deletes the access rule that you highlighted in the Access Rules for Remote Administration panel of the Administrative Access tab.
Help	Displays the online help.

NAT Tab

Use the Network Address Translation (NAT) tab, shown in FIGURE 5-48, to set up mapping rules to translate IP addresses according to specific rules. These rules interpret the source and destination of incoming IP packets, then translate either the apparent source or the intended destination, and send the packets on. You can map hosts, lists of addresses, ranges of addresses, or specific groups, depending on what you have configured in your SunScreen installation. See "Address" for information on defining addresses, ranges, or groups of addresses.

Figure 5-48 NAT Tab

In general, you map addresses to:

Ensure that internal addresses appear as registered addresses on the Internet, or
Send traffic for a specific destination to a different, predetermined destination.

Translating both source and destination addresses is not possible--that is, making packets appear to come from a different IP address and directing the packets to a different destination simultaneously is not possible.

When defining NAT rules, the first rule (lowest number) that matches a packet is the one that applies, and no other rules can apply; define specific rules first, then broader cases later.

FIGURE 5-49 shows the NAT Definition dialog box .

Figure 5-49 NAT Definition Dialog Box

TABLE 5-44 describes the controls for the NAT Definition dialog box.

Table 5-44 Controls for the NAT Dialog Box


Control	Description
Rule Index	Assigns a number to a rule. By default, this field displays a number one greater than the last rule (indicating this rule will be placed at the end of the list). If you type a specific number, the new rule is inserted into that position in the list, and the rules currently in the configuration are renumbered.
Screen	(Optional) Specifies the Screen for which you want the rule to apply. Type a specific Screen name in this field if you use centralized management and want a rule to apply to a specific Screen. The default All applies to all Screens.
Mapping	Static - Specify static mapping to set up a one-to-one relationship between two addresses. You could use this to set new apparent IP addresses for hosts on your network without having to reconfigure each host, for example. Dynamic - Specify dynamic mapping to map source addresses to other addresses in a many-to-few relationship. You could use dynamic mapping to ensure that all traffic leaving the firewall appears to come from a specific address or group of addresses, or to send traffic intended for several different hosts to the same actual IP access.
Source	Specify the source address to map from an untranslated packet. Source addresses are the actual addresses contained in the packet entering the firewall.
Destination	Specify the untranslated destination address for the source packet. Destination addresses are the actual addresses contained in the packet entering the firewall.
Translated Source	Specify the translated source address for a packet. The translated source is the address the packet appears to originate from.
Translated Destination	Specify the translated destination packet address. The translated destination is the actual address the packet goes to after it leaves the firewall.
Description	Used to provide a description of the mapping defined in this rule.
Add New	Allows adding a new NAT rule.
Edit	Allows you to edit the NAT rule that you highlighted in the NAT tab.
Move	Allows you assign a new rule index number for the rule that you highlighted in the NAT tab.
Delete	Deletes the access rule that you highlighted in the NAT tab.
Help	Displays the online help.

When defining rules, remember that translating both source and destination addresses is not possible. Either translate packets so they appear to come from a different source, or translate packets so they go to a specific destination, but not both.

All static NAT rules are unidirectional--that is, they work precisely as defined, and are not interpreted as also applying in the reverse direction. For rules to apply in both directions, specify two different rules. For example, if you map the source address internalname.com to the destination publicip.com, you will also have to map the source publicip.com to the destination internalname.com to translate traffic in both directions.

VPN Tab

The VPN tab, shown in FIGURE 5-50, allows you to define VPN gateways. Defining VPN gateways using this mechanism simplifies the creation of VPNs that include more than two gateways and are managed in a centralized management group.

Note -

Each gateway in this type of configuration must be able to connect to the other ones directly--without going through another gateway.

Figure 5-50 VPN Tab

Setting up a VPN requires:

Choosing a name for the VPN.
Defining the VPN gateway.
Adding a rule for the VPN.

Defining VPN Gateways

Use the VPN Definition box , shown in FIGURE 5-51, to define and edit VPN gateways.

Figure 5-51 VPN Definition Dialog Box

TABLE 5-45 describes the controls in the VPN Definition dialog box for defining VPN gateways.

Table 5-45 Controls in the VPN Definition Dialog Box


Control	Descriptions
Rule Index	(Optional) Assigns a number to a rule. By default, this field displays a number one greater than the last rule (indicating this rule will be placed the end of the list). Typing a lower number inserts the new rule into the specified position in the list and renumbers the rules currently in the configuration. Rules take effect in order.
Name	Specifies the Name of the VPN to which this gateway belongs. Type the same name in the Name field for each gateway that is in the VPN.
Address	Specifies the machine to be included in the VPN.
Certificate	Specifies the name of the certificate for this VPN gateway.
Key Algorithm	Specifies the secret (key) algorithm the VPN uses. All gateways in the same VPN must use the same (key) algorithm.
Data Algorithm	Specifies the data algorithm the VPN uses. All gateways in the same VPN must use the same data algorithm.
MAC Algorithm	Specifies the MAC algorithm the VPN uses. All gateways in the same VPN must use the same MAC algorithm.
Tunnel Address	Specifies the destination address on the outer (unencrypted) IP packet to which tunnel packets are sent.
Description	(Optional) Provides a short description of the VPN gateway.
Add New	Allows adding a new VPN rule.
Edit	Allows you to edit the VPN rule that you highlighted in the NAT tab.
Move	Allows assigning a new rule index number for the rule highlighted in the NAT tab.
Delete	Deletes the access rule highlighted in the VPN tab.
Help	Displays the online help.

Adding a VPN Rule

After defining the gateways in a VPN, add a packet-filtering rule for this VPN. Add the packet-filtering rule using the Packet Filter tab.

When adding a packet-filtering rule for a VPN, leave the Screen field empty.

Specify SECURE for the packet-filtering action.
Type the name of the VPN in the VPN field.

Note -
Use any address in the VPN rules. Only addresses that interact with a VPN Gateway and the address specified in the rule will apply. The simplest rule uses * for the source and destination address. This rule allows encrypted use of the specified service for all addresses in the VPN.

Administration GUI Limitations

The administration graphical user interface (GUI) performs almost all the normal administration tasks, but it does not support every option of the command line interface. The command line offers many options for each command. Appendix B, Command-Line Reference contains information about the command line interface.