Documentation Home
> SunScreen 3.1 Reference Manual
SunScreen 3.1 Reference Manual
Book Information
Preface
Chapter 1 SunScreen Overview
What Is SunScreen?
Software and Hardware Requirements
Required Patches
Java Plug-In Software
Compatibility With Other SunScreen Products
SunScreen Lite
Limitations
Supported Features
Online Help and Documentation
Chapter 2 SunScreen Concepts
Security Considerations
SunScreen
How SunScreen Works
Routing and Stealth Modes
Routing Mode
Stealth Mode
Both Routing and Stealth Mode
Administration
Remote Administration
Local Administration
Locating the SunScreen Screen
Security Policy
Configuration
Dynamic Packet Filtering
Centralized Management Group
Network Address Translation (NAT)
Tunneling and Virtual Private Networks (VPN)
High Availability (HA)
Encryption
Logging
Proxies
Using Proxies
Event Logging With Proxies
Chapter 3 Packet Screening
Dynamic Packet Filtering
Policy Rules
Rule Syntax
Example of a Rule Configuration
Policy Versions
Routing, Stealth, HA, and Administration Interfaces
Routing Interfaces
Stealth Interfaces
Administration Interfaces
Mixing Routing and Stealth Interfaces on a Single Screen
HA Interface
Addresses
Individual IP Addresses
Address Ranges
Address Groups
Designing an Addressing Scheme
Services
Standard Services
Modifying or Creating New Services
Service Groups
Time
Screen
Screen Object
Define Screen's Name Properly
Certificate and Certificate Groups
Generate Screen Certificate
Associate MKID
Chapter 4 Administration
Administering the Screen
Remote Administration
Local Administration
Centralized Management Groups of Screens
Centralized Administration
Common Objects Used in Centralized Administration
Creating Common Objects and Policies for Multiple Screens
Address Objects
Interface Objects
Rules
Chapter 5 Administration Graphical User Interface
Connecting to the Administration GUI
Browser Title Bar
Navigation Buttons on the Navigation Browser Bar
Universal Resource Locator (URL)
The Administration GUI
Login Page
Changing the Password
Online Documentation
SunScreen Information Page
Administration GUI Navigation Bar and Buttons
The Name of the Screen
The Log Browser Tabs on the Information Page
Status Tab
Logs Tab
Retrieval Setting Tab
Setting a Log Viewing Filter
The Information Tab
Statistics Tab
The Action Buttons
Help System
Policies List Page
Policies List Panel
Types of Policies
Policies List Page Action Buttons
Policy Rules Page
Administration GUI Navigation Buttons
The Policy Rules Page Command Buttons
Common Objects Panel
Common Objects
Save Is Not Required With Certain Common Objects
Service
Single Service
Service Group
Address
Host
Range
Group
Certificate
Generate Screen Certificate
Associate MKID
Certificate Group
Screen
Miscellaneous Tab
SNMP Tab
Primary/Secondary Tab
Mail Proxy
Interface
Proxy User
Single
Group
Authorized User
Administrative User
Jar Signature
Jar Hash
Time
Policy Rules Panel
Packet Filtering Tab
ALLOW Action
DENY Action
ENCRYPT Action
SECURE Action
Administrative Access Tab
Access Rules for GUI Local Administration
The Access Rules for Remote Administration
NAT Tab
VPN Tab
Defining VPN Gateways
Adding a VPN Rule
Administration GUI Limitations
Chapter 6 Encryption, Tunneling, and Virtual Private Networks
Encryption and Decryption
How SunScreen Uses Encryption
Packet Examination
Remote Administration
Tunneling
Defining a VPN
Adding a VPN Rule
VPN Limitations
Chapter 7 Network Address Translation
Network Address Translation (NAT)
NAT Rules
Static NAT
One-to-One Translations
Address Range to Another Address Range
Dynamic NAT
Dynamic NAT Collisions
Choosing NAT Addresses
NAT Examples
Example One
Example Two
Scenario 1: DMZ Uses Registered Addresses
Scenario 2: DMZ Uses NAT Addresses
Routing Interface Examples
Stealth Interface Examples
Applying NAT
Chapter 8 High Availability
High Availability (HA)
HA Policy
HA Network Connections and Failovers
Configuring HA
Administering HA
Chapter 9 Authentication
User Authentication
User Identification
Save Is Not Required With Certain Common Objects
Authorized Users
Defining an Authorized User Object
Creating an Authorized User Object
Authorized User Authentication Processing Logic
Administrative User
Proxy Users
Defining a Proxy User Object
Creating a Proxy User Object
Proxy User Processing Logic
Null Authentication
Referenced Authorized User Authentication
SPECIAL External Method Authentication
User Access Control Processing Logic
RADIUS User Authentication Details
RADIUS Server Configuration
RADIUS Node Secret Configuration
Typical RADIUS Configuration
Other vars for RADIUS Configuration
Other RADIUS Protocol Notes
RADIUS Testing
RADIUS Usage
SecurID User Authentication Processing Details
ACE/Client, ACE/Agent, and the SunScreen Stub Client
SecurID ACE/Agent
SecurID Stub Client
SecurID Access Paths
SecurID PIN Establishment
Typical SecurID Configuration
Other SecurID Details
SecurID Usage
Chapter 10 Proxies
SunScreen Proxies
How Proxies Work
Policy Rule Matching
Proxy User Authentication
Proxy Limitations
Save Is Not Required With Certain Common Objects
FTP Proxy
FTP Proxy Operation
FTP Proxy and Anonymous FTP
FTP Proxy Use
Other FTP Proxy Issues
HTTP Proxy
HTTP -> FTP Proxy: The ftp:// Method
HTTP Proxy Operation
Java Virtual Machine (JVM)
Jar Hashes and Signatures
Jar Hashes
Jar Signatures
HTTP Proxy Limitations
SMTP Proxy
SMTP Proxy Operation
Spam Control
Relay Control
Other Mail Configuration Issues
SMTP Proxy Rules
Telnet Proxy
Telnet Proxy Operation
Other Telnet Proxy Issues
Telnet Proxy Use
Using SKIP Encryption with Proxies
Chapter 11 Logging
Packet Logging
Logging Limitations
Save Is Not Required With Certain Common Objects
Log File Locations
Configuring Traffic Log Size
Configuring the Global Default Log Size
Configuring the Log Size for a Specific Screen
Configuring Events to be Logged
Network Traffic (Packet)
Network Session Summaries
Extended events
Size of Logged Items
Level of Logging
Configuring Log Event Limiters
Log Retrieval and Clearing
Log Statistics
ssadm logstats Subcommand
Log Inspection and Browsing
Log Filters and the logdump Command
logdump Extensions
Logged Network Packet Enhancements
General Event Type Enhancements
Log Record Format
Extended Log Event Enhancements
Log Filtering Macros
Displaying and Creating Log Macros
Log Macro Name and Body
Listing Log Macros
Log Macro Usage
Appendix A Migrating From Previous SunScreen Firewall Products
Appendix B Command-Line Reference
What Is the Command Line?
UNIX (shell) Commands
ss_install Command
ssadm Command
Executing an ssadm Command From a Local Screen
Executing an ssadm -r Command on a Remote Administration Station
ssadm Subcommands
ssadm Subcommand Summary
activate Subcommand
active Subcommand
algorithm Subcommand
backup Subcommand
debug_level Subcommand
edit Subcommand
ha Subcommand
lock Subcommand
log Subcommand
logdump Subcommand
login Subcommand
logout Subcommand
logmacro Subcommand
logstats Subcommand
patch Subcommand
policy Subcommand
product Subcommand
restore Subcommand
spf2efs Subcommand
sys_info Subcommand
traffic_stats Subcommand
Unsupported Commands
ssadm lib/screeninfo Command
ssadm lib/statetables -f Command
ssadm lib/support Command
ss_client Command
ssadm SKIP Commands
Configuration Editor
Configuration Editor Data Model
Configuration Editor Commands
add Subcommand
add address Subcommand
add screen Subcommand
add service Subcommand
add interface Subcommand
add certificate Subcommand
add time Subcommand
add rule Subcommand
add nat Subcommand
add accesslocal Subcommand
add accessremote Subcommand
add vpngateway Subcommand
add_member Subcommand
authuser Subcommand
delete Subcommand
delete_member Subcommand
insert Subcommand
jar_hash Subcommand
jar_sig Subcommand
list Subcommand
list_name Subcommand
load Subcommand
lock Subcommand
lock_status Subcommand
search Subcommand
move Subcommand
replace Subcommand
refer Subcommand
referlist Subcommand
rename Subcommand
renamereference Subcommand
save Subcommand
saveas Subcommand
reload Subcommand
verify Subcommand
mail_relay Subcommand
mail_spam Subcommand
proxyuser Subcommand
vars Subcommand
quit Subcommand
QUIT Subcommand
Network Monitoring and Maintenance
Using the ssadm logdump Command
Using the ssadm debug_level Command
Gathering Information From Your System to Report Support Issues
Appendix C Services and State Engines
Standard Services
ftp Service
traceroute Service
ip Services
VDOLive Service
CoolTalk Service
nfs readonly Service
smtp (Electronic Mail) Service
www (World-Wide-Web Access) Service
dns Service
rip Service
sqlnet Services
realaudio Services
icmp Services
esp Services
ah Services
isakmp Services
ipv6 tunnel Services
ipsec
IP Packets
ICMP Packets
TCP Services
UDP Services
ntp Service
archie Service
rpc Service
Network Service Groups
State Engines
Characteristics of State Engines
dns State Engine
ftp State Engine
icmp State Engine
ip State Engine
ipfwd State Engine
ipmobile State Engine
iptunnel State Engine
nis State Engine
ping State Engine
pmap_nis State Engine
pmap_tcp State Engine
pmap_udp State Engine
realaudio State Engine
rpc_tcp State Engine
rpc_udp State Engine
rsh State Engine
sqlnet State Engine
tcp State Engine
tcpall State Engine
udp State Engine
udpall State Engine
udp_datagram State Engine
udp_stateless State Engine
Appendix D Error Messages
Error Messages From the ssadm edit Component
Error Messages From the ssadm activate Component
Error Messages From the ssadm lock Component
Logged Packet Reasons - why codes
Glossary
Index
Numbers and Symbols
A
B
C
D
E
F
G
H
I
J
K
L
M
N
O
P
R
S
T
U
V
W
X
© 2010, Oracle Corporation and/or its affiliates